Monitoring and detection of fraudulent or unauthorized use in telephone conferencing systems or voice networks

ABSTRACT

Novel tools and techniques are provided for implementing monitoring and detection of fraudulent or unauthorized use in telephone conferencing systems or voice networks. In various embodiments, a computing system might monitor call activity through telephone conferencing system or voice network. In response to detecting use of the telephone conferencing system or voice network by at least one party based on the monitored call activity, the computing system might identify incoming and/or outgoing associated with a call initiated by the at least one party. The computing system might analyze the identified incoming and/or outgoing call data to determine whether the call initiated by the at least one party constitutes at least one of fraudulent use or unauthorized use of the telephone conferencing system or voice network. If so, the computing system might initiate one or more first actions.

COPYRIGHT STATEMENT

A portion of the disclosure of this patent document contains materialthat is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

FIELD

The present disclosure relates, in general, to methods, systems, andapparatuses for implementing monitoring and detection of fraudulent orunauthorized use, and, more particularly, to methods, systems, andapparatuses for implementing monitoring and detection of fraudulent orunauthorized use in telephone conferencing systems or voice networks.

BACKGROUND

In conventional telephone conference systems or voice networks,fraudulent and/or unauthorized usage is rampant and mostly unchecked. Inparticular, in conventional telephone conference systems or voicenetworks, it is difficult to identify fraudulent and/or unauthorizedusage (e.g., users guessing a chairperson or leader code or personalidentification number (“PIN”) after already identifying a validtelephone conference account; a user(s) using the telephone conferencesystem or voice network to initiate bulk calls, robocalls, denial ofservice (“DoS”) attacks; a user(s) using the telephone conference systemor voice network to hide their identity; a user(s) using the telephoneconference system or voice network to bypass long distance or othertelephone charges; etc.).

Hence, there is a need for more robust and scalable solutions forimplementing monitoring and detection of fraudulent or unauthorized use,and, more particularly, to methods, systems, and apparatuses forimplementing monitoring and detection of fraudulent or unauthorized usein telephone conferencing systems or voice networks.

BRIEF DESCRIPTION OF THE DRAWINGS

A further understanding of the nature and advantages of particularembodiments may be realized by reference to the remaining portions ofthe specification and the drawings, in which like reference numerals areused to refer to similar components. In some instances, a sub-label isassociated with a reference numeral to denote one of multiple similarcomponents. When reference is made to a reference numeral withoutspecification to an existing sub-label, it is intended to refer to allsuch multiple similar components.

FIG. 1 is a schematic diagram illustrating a system for implementingmonitoring and detection of fraudulent or unauthorized use in telephoneconferencing systems or voice networks, in accordance with variousembodiments.

FIGS. 2A-2C are schematic diagrams illustrating various non-limitingexamples of configurations for telephone conferencing for whichfraudulent or unauthorized use monitoring and detection may beimplemented, in accordance with various embodiments.

FIG. 3 is a schematic diagram illustrating a non-limiting example of useof a trunking bridge for a telephone conference system or voice networkfor which fraudulent or unauthorized use monitoring and detection may beimplemented, in accordance with various embodiments.

FIGS. 4A-4E are flow diagrams illustrating a method for implementingmonitoring and detection of fraudulent or unauthorized use in telephoneconferencing systems or voice networks, in accordance with variousembodiments.

FIG. 5 is a block diagram illustrating an exemplary computer or systemhardware architecture, in accordance with various embodiments.

FIG. 6 is a block diagram illustrating a networked system of computers,computing systems, or system hardware architecture, which can be used inaccordance with various embodiments.

DETAILED DESCRIPTION OF CERTAIN EMBODIMENTS

Overview

Various embodiments provide tools and techniques for implementingmonitoring and detection of fraudulent or unauthorized use, and, moreparticularly, to methods, systems, and apparatuses for implementingmonitoring and detection of fraudulent or unauthorized use in telephoneconferencing systems or voice networks.

In various embodiments, a computing system might monitor call activitythrough telephone conferencing system or voice network. In response todetecting use of the telephone conferencing system or voice network byat least one party based on the monitored call activity, the computingsystem might identify at least one of incoming call data or outgoingcall data associated with a call initiated by the at least one party.The computing system might analyze the identified at least one ofincoming call data or outgoing call data to determine whether the callinitiated by the at least one party constitutes at least one offraudulent use or unauthorized use of the telephone conferencing systemor voice network. Based on a determination that the call initiated bythe at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice network,the computing system might initiate one or more first actions.

In some embodiments, the incoming call data might include, withoutlimitation, at least one of conference identification informationassociated with a conference bridge, timestamp of call origination byeach call-in party to the conference bridge, origination telephonenumber associated with each call-in party, geographic locationinformation associated with each call-in party, or line identifier(e.g., network line, conference line, media resource line, or the like)corresponding to connection between each call-in party and theconference bridge, and/or the like. In some cases, the outgoing calldata might include, but is not limited to, at least one of conferenceidentification information associated with a conference bridge,timestamp of call origination by each call-out party from the conferencebridge, destination telephone number associated with each destinationparty called by each call-out party, geographic location informationassociated with each call-out party, line identifier (e.g., networkline, conference line, media resource line, or the like) correspondingto connection between each destination party and the conference bridge,or telephone number associated with each call-out party, and/or thelike. In some instances, the call might be initiated by web control bythe at least one parties, and the identified at least one of incomingcall data or outgoing call data might include, without limitation, atleast one of conference identification information associated with aconference bridge, timestamp of call origination by each call-in partyto the conference bridge, timestamp of call origination by each call-outparty from the conference bridge, geographic location informationassociated with each call-in party, geographic location informationassociated with each call-out party, Internet protocol (“IP”) addressassociated with each call-in party, IP address associated with eachcall-out party, or WebSocket connection information, and/or the like.

According to some embodiments, identifying the at least one of theincoming call data or the outgoing call data associated with a callinitiated by the at least one party might comprise obtaining the atleast one of the incoming call data or the outgoing call data by atleast one of scraping an application log file associated with thetelephone conferencing system or voice network (not shown), using anapplication programming interface (“API”) between the computing systemand the telephone conferencing system or voice network (not shown), orusing a tracking service (not shown), and/or the like.

In some embodiments, the one or more first actions might include, but isnot limited to, at least one of temporarily blocking a network trunk;escalating disablement of a network trunk; permanently blocking anetwork trunk; temporarily blocking an account with the telephoneconferencing system; escalating disablement of an account with thetelephone conferencing system; permanently blocking an account with thetelephone conferencing system; blocking one or more features of anaccount with the telephone conferencing system; changing routing of thecall to route through specialized equipment for monitoring or recordingthe call; changing routing of the call to route to a call center;changing routing of the call to route to a law enforcement facility;changing routing of the call to route to a message service; changingrouting of the call to route to an interactive voice response (“IVR”)system; changing routing of the call to terminate the call; sending analert regarding the call to at least one of an account owner, an accountmanager, a call center representative, or a law enforcementrepresentative; sending an e-mail message regarding the call to at leastone of an account owner, an account manager, a call centerrepresentative, or a law enforcement representative; sending a shortmessage service (“SMS”) message regarding the call to at least one of anaccount owner, an account manager, a call center representative, or alaw enforcement representative; sending a text message regarding thecall to at least one of an account owner, an account manager, a callcenter representative, or a law enforcement representative; initiating atelephone call regarding the call to at least one of an account owner,an account manager, a call center representative, or a law enforcementrepresentative; or logging information regarding the call to a log fileor a database system; and/or the like.

In some cases, at least one of the alert, the e-mail message, the SMSmessage, the text message, or the telephone call, and/or the like, mightcomprise at least one of an option to block access to the account by theat least one party, an option to change account credentials associatedwith the account, an option to contact the account owner, or an optionto disconnect the call, based at least in part on a determination thatthe call is deemed by the at least one of the account owner, the accountmanager, the call center representative, or the law enforcementrepresentative to be at least one of fraudulent use or unauthorized useof the telephone conferencing system or voice network, and/or the like.

These and other aspects of the fraudulent or unauthorized use detectionin telephone conferencing systems or voice networks are described ingreater detail with respect to the figures.

The following detailed description illustrates a few exemplaryembodiments in further detail to enable one of skill in the art topractice such embodiments. The described examples are provided forillustrative purposes and are not intended to limit the scope of theinvention.

In the following description, for the purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the described embodiments. It will be apparent to oneskilled in the art, however, that other embodiments of the presentinvention may be practiced without some of these specific details. Inother instances, certain structures and devices are shown in blockdiagram form. Several embodiments are described herein, and whilevarious features are ascribed to different embodiments, it should beappreciated that the features described with respect to one embodimentmay be incorporated with other embodiments as well. By the same token,however, no single feature or features of any described embodimentshould be considered essential to every embodiment of the invention, asother embodiments of the invention may omit such features.

Unless otherwise indicated, all numbers used herein to expressquantities, dimensions, and so forth used should be understood as beingmodified in all instances by the term “about.” In this application, theuse of the singular includes the plural unless specifically statedotherwise, and use of the terms “and” and “or” means “and/or” unlessotherwise indicated. Moreover, the use of the term “including,” as wellas other forms, such as “includes” and “included,” should be considerednon-exclusive. Also, terms such as “element” or “component” encompassboth elements and components comprising one unit and elements andcomponents that comprise more than one unit, unless specifically statedotherwise.

Various embodiments described herein, while embodying (in some cases)software products, computer-performed methods, and/or computer systems,represent tangible, concrete improvements to existing technologicalareas, including, without limitation, teleconferencing or telephoneconferencing technology, telephone conference or voice networkmonitoring technology, and/or the like. In other aspects, certainembodiments, can improve the functioning of user equipment or systemsthemselves (e.g., teleconferencing or telephone conferencing systems,telephone conference or voice network monitoring systems, etc.), forexample, by monitoring, with a computing system, call activity through atelephone conferencing system or voice network; in response to detectinguse of the telephone conferencing system or voice network by at leastone party based on the monitored call activity, identifying, with thecomputing system, at least one of incoming call data or outgoing calldata associated with a call initiated by the at least one party;analyzing, with the computing system, the identified at least one ofincoming call data or outgoing call data to determine whether the callinitiated by the at least one party constitutes at least one offraudulent use or unauthorized use of the telephone conferencing systemor voice network; and based on a determination that the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice network,initiating, with the computing system, one or more first actions; and/orthe like.

In particular, to the extent any abstract concepts are present in thevarious embodiments, those concepts can be implemented as describedherein by devices, software, systems, and methods that involve specificnovel functionality (e.g., steps or operations), such as, in response todetecting use of the telephone conferencing system or voice network byat least one party based on the monitored call activity, identifying,with the computing system, at least one of incoming call data oroutgoing call data associated with a call initiated by the at least oneparty; analyzing, with the computing system, the identified at least oneof incoming call data or outgoing call data to determine whether thecall initiated by the at least one party constitutes at least one offraudulent use or unauthorized use of the telephone conferencing systemor voice network; and based on a determination that the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice network,initiating, with the computing system, one or more first actions; and/orthe like, to name a few examples, that extend beyond mere conventionalcomputer processing operations. These functionalities can producetangible results outside of the implementing computer system, including,merely by way of example, optimized monitoring and tracking of usage oftelephone conference systems or voice networks to detect fraudulent orunauthorized usage and to implement actions to address the detectedfraudulent or unauthorized usage, and/or the like, at least some ofwhich may be observed or measured by customers and/or service providers.

In an aspect, a method might comprise monitoring, with a computingsystem, call activity through a telephone conferencing system or voicenetwork; in response to detecting use of the telephone conferencingsystem or voice network by at least one party based on the monitoredcall activity, identifying, with the computing system, at least one ofincoming call data or outgoing call data associated with a callinitiated by the at least one party; analyzing, with the computingsystem, the identified at least one of incoming call data or outgoingcall data to determine whether the call initiated by the at least oneparty constitutes at least one of fraudulent use or unauthorized use ofthe telephone conferencing system or voice network; and based on adetermination that the call initiated by the at least one partyconstitutes at least one of fraudulent use or unauthorized use of thetelephone conferencing system or voice network, initiating, with thecomputing system, one or more first actions.

In some embodiments, the incoming call data might comprise at least oneof conference identification information associated with a conferencebridge, timestamp of call origination by each call-in party to theconference bridge, origination telephone number associated with eachcall-in party, geographic location information associated with eachcall-in party, or line identifier (e.g., network line, conference line,media resource line, or the like) corresponding to connection betweeneach call-in party and the conference bridge, and/or the like. In somecases, the outgoing call data might comprise at least one of conferenceidentification information associated with a conference bridge,timestamp of call origination by each call-out party from the conferencebridge, destination telephone number associated with each destinationparty called by each call-out party, geographic location informationassociated with each call-out party, line identifier (e.g., networkline, conference line, media resource line, or the like) correspondingto connection between each destination party and the conference bridge,or telephone number associated with each call-out party, and/or thelike. In some instances, the call might be initiated by web control,wherein the identified at least one of incoming call data or outgoingcall data might comprise at least one of conference identificationinformation associated with a conference bridge, timestamp of callorigination by each call-in party to the conference bridge, timestamp ofcall origination by each call-out party from the conference bridge,geographic location information associated with each call-in party,geographic location information associated with each call-out party,Internet protocol (“IP”) address associated with each call-in party, IPaddress associated with each call-out party, or WebSocket connectioninformation, and/or the like.

According to some embodiments, identifying the at least one of theincoming call data or the outgoing call data associated with a callinitiated by the at least one party might comprise obtaining the atleast one of the incoming call data or the outgoing call data by atleast one of scraping an application log file associated with thetelephone conferencing system or voice network, using an applicationprogramming interface (“API”) between the computing system and thetelephone conferencing system or voice network, or using a trackingservice, and/or the like.

Merely by way of example, in some instances, determining whether thecall initiated by the at least one party constitutes at least one offraudulent use or unauthorized use of the telephone conferencing systemor voice network might comprise comparing, with the computing system,the identified at least one of incoming call data or outgoing call datawith metadata, wherein the metadata might comprise at least one ofaccount identifier associated with a user account with the telephoneconferencing system or voice network, a telephone number associated withan account owner associated with the user account, geographicinformation associated with the account owner, or contact informationassociated with the account owner, and/or the like.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise determining that the at least one party is anunauthorized user who is using a user account with the telephoneconferencing system or voice network for personal use or to sell tounsuspecting end-users, by at least one of determining that a personalidentification number (“PIN”) or leader code associated with the useraccount has been incorrectly entered more than a predetermined number oftimes, determining that an origination telephone number associated withthe at least one party does not match a telephone number associated withan account owner associated with the user account, determining that theat least one party is calling from a location that is different fromgeographic location associated with the account owner, determining thatthe at least one party is calling from a location that has a knownpropensity for initiating fraudulent calls, or determining that at leastone of one or more destination parties is located in a foreign country,and/or the like.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise one of determining that the at least one party is usingthe telephone conferencing system or voice network as a bulk callgenerator, determining that the at least one party is using thetelephone conferencing system or voice network as an originator ofrobocalls, or determining that the at least one party is using thetelephone conferencing system or voice network as part of a denial ofservice (“DoS”) attack, and/or the like, by at least one of determiningthat a number of out-dials from a single user account with the telephoneconferencing system or voice network exceeds a predetermined thresholdnumber of calls within a predetermined period, determining that the atleast one party is calling from a location that has a known propensityfor initiating fraudulent calls, determining that the at least one partyis located in a foreign country, or determining that at least one of oneor more destination parties is located in a foreign country, and/or thelike.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise determining that the at least one party is attempting tohide its identity or to hide direct communications by the at least oneparty, by at least one of determining that an origination telephonenumber associated with the at least one party does not match a telephonenumber associated with an account owner associated with the user accountor determining that the at least one party is calling from a locationthat is different from geographic location associated with the accountowner, or the like.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise determining that the at least one party is attempting tobypass long distance charges, by at least one of determining that anorigination telephone number associated with the at least one party doesnot match a telephone number associated with an account owner associatedwith the user account, determining that the at least one party iscalling from a location that is different from geographic locationassociated with the account owner, or determining that the call would besubject to long distance charges if initiated without using thetelephone conferencing system, and/or the like.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise utilizing at least one of an artificial intelligence(“AI”) system or a machine learning system, and/or the like, todetermine whether the call initiated by the at least one partyconstitutes at least one of fraudulent use or unauthorized use of thetelephone conferencing system or voice network.

In some embodiments, the one or more first actions might comprise atleast one of temporarily blocking a network trunk; escalatingdisablement of a network trunk; permanently blocking a network trunk;temporarily blocking an account with the telephone conferencing system;escalating disablement of an account with the telephone conferencingsystem; permanently blocking an account with the telephone conferencingsystem; blocking one or more features of an account with the telephoneconferencing system; changing routing of the call to route throughspecialized equipment for monitoring or recording the call; changingrouting of the call to route to a call center; changing routing of thecall to route to a law enforcement facility; changing routing of thecall to route to a message service; changing routing of the call toroute to an interactive voice response (“IVR”) system; changing routingof the call to terminate the call; sending an alert regarding the callto at least one of an account owner, an account manager, a call centerrepresentative, or a law enforcement representative; sending an e-mailmessage regarding the call to at least one of an account owner, anaccount manager, a call center representative, or a law enforcementrepresentative; sending a short message service (“SMS”) messageregarding the call to at least one of an account owner, an accountmanager, a call center representative, or a law enforcementrepresentative; sending a text message regarding the call to at leastone of an account owner, an account manager, a call centerrepresentative, or a law enforcement representative; initiating atelephone call regarding the call to at least one of an account owner,an account manager, a call center representative, or a law enforcementrepresentative; or logging information regarding the call to a log fileor a database system; and/or the like. In some cases, at least one ofthe alert, the e-mail message, the SMS message, the text message, or thetelephone call, and/or the like, might comprise at least one of anoption to block access to the account by the at least one party, anoption to change account credentials associated with the account, anoption to contact the account owner, or an option to disconnect thecall, based at least in part on a determination that the call is deemedby the at least one of the account owner, the account manager, the callcenter representative, or the law enforcement representative to be atleast one of fraudulent use or unauthorized use of the telephoneconferencing system or voice network, and/or the like.

According to some embodiments, the method might further compriselogging, with the computing system, information regarding the call to alog file or a database system; analyzing, with the computing system, thelogged information to generate historical data associated with one ormore of the at least one party, an account with the telephoneconferencing system or voice network that is used by the at least oneparty to initiate the call, a conference bridge used by the at least oneparty to initiate the call, at least one destination party connected bythe call, or at least one location associated with each party;determining, with the computing system, one or more weighted measuresassociated with each generated historical data; and generating, with thecomputing system, a score based on the historical data and the one ormore weighted measures, the score being representative of a probabilityof fraudulent use or unauthorized use. In such embodiments, determiningwhether the call initiated by the at least one party constitutes atleast one of fraudulent use or unauthorized use of the telephoneconferencing system or voice network might comprise determining whetherthe call initiated by the at least one party constitutes at least one offraudulent use or unauthorized use of the telephone conferencing systemor voice network based at least in part on the generated score.

In some embodiments, the method might further comprise providing atrunking bridge between the at least one party and the telephoneconferencing system or voice network, wherein the trunking bridge mightcomprise one of a public switched telephone network (“PSTN”) trunkingbridge, an integrated services digital network (“ISDN) trunking bridge,a voice over Internet protocol (“VoIP”) trunking bridge, or a sessioninitiation protocol (“SIP”) trunking bridge, and/or the like.

In another aspect, an apparatus might comprise at least one processorand a non-transitory computer readable medium communicatively coupled tothe at least one processor. The non-transitory computer readable mediummight have stored thereon computer software comprising a set ofinstructions that, when executed by the at least one processor, causesthe apparatus to: monitor call activity through a telephone conferencingsystem or voice network; in response to detecting use of the telephoneconferencing system or voice network by at least one party based on themonitored call activity, identify at least one of incoming call data oroutgoing call data associated with a call initiated by the at least oneparty; analyze the identified at least one of incoming call data oroutgoing call data to determine whether the call initiated by the atleast one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice network;and based on a determination that the call initiated by the at least oneparty constitutes at least one of fraudulent use or unauthorized use ofthe telephone conferencing system or voice network, initiate one or morefirst actions.

In some embodiments, the one or more first actions might comprise atleast one of temporarily blocking a network trunk; escalatingdisablement of a network trunk; permanently blocking a network trunk;temporarily blocking an account with the telephone conferencing system;escalating disablement of an account with the telephone conferencingsystem; permanently blocking an account with the telephone conferencingsystem; blocking one or more features of an account with the telephoneconferencing system; changing routing of the call to route throughspecialized equipment for monitoring or recording the call; changingrouting of the call to route to a call center; changing routing of thecall to route to a law enforcement facility; changing routing of thecall to route to a message service; changing routing of the call toroute to an interactive voice response (“IVR”) system; changing routingof the call to terminate the call; sending an alert regarding the callto at least one of an account owner, an account manager, a call centerrepresentative, or a law enforcement representative; sending an e-mailmessage regarding the call to at least one of an account owner, anaccount manager, a call center representative, or a law enforcementrepresentative; sending a short message service (“SMS”) messageregarding the call to at least one of an account owner, an accountmanager, a call center representative, or a law enforcementrepresentative; sending a text message regarding the call to at leastone of an account owner, an account manager, a call centerrepresentative, or a law enforcement representative; initiating atelephone call regarding the call to at least one of an account owner,an account manager, a call center representative, or a law enforcementrepresentative; or logging information regarding the call to a log fileor a database system; and/or the like.

According to some embodiments, the set of instructions, when executed bythe at least one processor, might further cause the apparatus to: loginformation regarding the call to a log file or a database system;analyze the logged information to generate historical data associatedwith one or more of the at least one party, an account with thetelephone conferencing system or voice network that is used by the atleast one party to initiate the call, a conference bridge used by the atleast one party to initiate the call, at least one destination partyconnected by the call, or at least one location associated with eachparty; determine one or more weighted measures associated with eachgenerated historical data; and generate a score based on the historicaldata and the one or more weighted measures, the score beingrepresentative of a probability of fraudulent use or unauthorized use.In such embodiments, determining whether the call initiated by the atleast one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise determining whether the call initiated by the at leastone party constitutes at least one of fraudulent use or unauthorized useof the telephone conferencing system or voice network based at least inpart on the generated score.

In some embodiments, the set of instructions, when executed by the atleast one processor, might further cause the apparatus to: provide atrunking bridge between the at least one party and the telephoneconferencing system or voice network, wherein the trunking bridge mightcomprise one of a public switched telephone network (“PSTN”) trunkingbridge, an integrated services digital network (“ISDN) trunking bridge,a voice over Internet protocol (“VoIP”) trunking bridge, or a sessioninitiation protocol (“SIP”) trunking bridge, and/or the like. In suchembodiments, the trunking bridge might facilitate monitoring callactivity and initiation of the one or more first actions.

In yet another aspect, a system might comprise a computing system, whichmight comprise at least one first processor and a first non-transitorycomputer readable medium communicatively coupled to the at least onefirst processor. The first non-transitory computer readable medium mighthave stored thereon computer software comprising a first set ofinstructions that, when executed by the at least one first processor,causes the computing system to: monitor call activity through atelephone conferencing system or voice network; in response to detectinguse of the telephone conferencing system or voice network by at leastone party based on the monitored call activity, identify at least one ofincoming call data or outgoing call data associated with a callinitiated by the at least one party; analyze the identified at least oneof incoming call data or outgoing call data to determine whether thecall initiated by the at least one party constitutes at least one offraudulent use or unauthorized use of the telephone conferencing systemor voice network; and based on a determination that the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice network,initiate one or more first actions.

Various modifications and additions can be made to the embodimentsdiscussed without departing from the scope of the invention. Forexample, while the embodiments described above refer to particularfeatures, the scope of this invention also includes embodiments havingdifferent combination of features and embodiments that do not includeall of the above described features.

Specific Exemplary Embodiments

We now turn to the embodiments as illustrated by the drawings. FIGS. 1-6illustrate some of the features of the method, system, and apparatus forimplementing monitoring and detection of fraudulent or unauthorized use,and, more particularly, to methods, systems, and apparatuses forimplementing monitoring and detection of fraudulent or unauthorized usein telephone conferencing systems or voice networks, as referred toabove. The methods, systems, and apparatuses illustrated by FIGS. 1-6refer to examples of different embodiments that include variouscomponents and steps, which can be considered alternatives or which canbe used in conjunction with one another in the various embodiments. Thedescription of the illustrated methods, systems, and apparatuses shownin FIGS. 1-6 is provided for purposes of illustration and should not beconsidered to limit the scope of the different embodiments.

With reference to the figures, FIG. 1 is a schematic diagramillustrating a system 100 for implementing monitoring and detection offraudulent or unauthorized use in telephone conferencing systems orvoice networks, in accordance with various embodiments.

In the non-limiting embodiment of FIG. 1 , system 100 might comprise oneor more calling devices 105 that are associated with or used bycorresponding one or more originating parties 110 to initiate aconference call with one or more called devices 115 that are associatedwith or used by corresponding one or more destination parties 120 a-120n (collectively, “destination parties 120” or the like) using atelephone conference system or voice network 125 over one or morenetworks 130 a-130 n (collectively, “networks 130” or the like).According to some embodiments, the conference call might be a callbetween two parties or among three or more parties over a conferenceplatform, such as a conference bridge or the like provided by thetelephone conference system or voice network 125, and may include,without limitation, a voice only conference call, a video conferencecall (with voice functionality), a voice over Internet protocol (“VoIP”)conference call, a web-based or Internet based video conference call,and/or the like. The one or more calling devices 105 might include, butis not limited to, at least one of a telephone 105 a, a smart phone 105b, a mobile phone 105 c, a tablet computer (not shown), a laptopcomputer (not shown), a wearable device (not shown), or the like.Similarly, the one or more called devices might include, withoutlimitation, at least one of a telephone 115 a, a smart phone 115 b, amobile phone 115 c, a tablet computer (not shown), a laptop computer(not shown), a wearable device (not shown), or the like.

In some cases, the one or more networks 130 might each include a localarea network (“LAN”), including, without limitation, a fiber network, anEthernet network, a Token-Ring™ network, and/or the like; a wide-areanetwork (“WAN”); a wireless wide area network (“WWAN”); a virtualnetwork, such as a virtual private network (“VPN”); the Internet; anintranet; an extranet; a public switched telephone network (“PSTN”); aninfra-red network; a wireless network, including, without limitation, anetwork operating under any of the IEEE 802.11 suite of protocols, theBluetooth™ protocol known in the art, and/or any other wirelessprotocol; and/or any combination of these and/or other networks. In aparticular embodiment, the network(s) 130 might include an accessnetwork of the service provider (e.g., an Internet service provider(“ISP”)). In another embodiment, the network(s) 130 might include a corenetwork of the service provider, and/or the Internet.

In some embodiments, system 100 might further comprise computing system135 a and corresponding database(s) 140 a as well as computing system135 b and corresponding database(s) 140 b. Computing system 135 a andcorresponding database(s) 140 a might be disposed external to telephoneconference system or voice network 125, while computing system 135 b andcorresponding database(s) 140 b might be disposed within telephoneconference system or voice network 125. System 100 might furthercomprise one or more conference bridges 145 a-145 n (collectively,“conference bridges 145” or the like), one or more logging systems 150 a(optional), and one or more artificial intelligence (“AI”) systems 155(optional), each of which may be disposed within telephone conferencesystem or voice network 125. System 100 might further comprise one ormore logging systems 150 b (optional) that may be disposed external totelephone conference system or voice network 125, in some cases,disposed within a first network 130 a, or the like. System 100 mightfurther comprise one or more user devices 160 associated withcorresponding one or more account owners or account managers 165, one ormore call centers 170 (or call center representatives or user devicesassociated with or used by call center representatives), and one or morelaw enforcement facilities 175 (or law enforcement representatives oruser devices associated with or used by law enforcementrepresentatives), or the like. Herein, although some components ofsystem 100 are indicated as being optional while others are not, this ismerely for the particular embodiment as shown, and, in otherembodiments, one or more of the former set of components (or componentsindicated as being “optional”) may be required while one or more of thelatter set of components (or components not indicated as being“optional”) may in fact be optional.

In operation, computing system 135 a, computing system 135 b, or amonitoring system (such as monitoring system 380 of FIG. 3 , or thelike) (collectively, “computing system” or the like) might monitor callactivity through telephone conferencing system or voice network 125. Inresponse to detecting use of the telephone conferencing system or voicenetwork 125 by at least one party (e.g., at least one of one or moreoriginating parties 110 and/or one or more destination parties 120, orthe like) based on the monitored call activity, the computing systemmight identify at least one of incoming call data or outgoing call dataassociated with a call initiated by the at least one party. Thecomputing system might analyze the identified at least one of incomingcall data or outgoing call data to determine whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice network125. Based on a determination that the call initiated by the at leastone party constitutes at least one of fraudulent use or unauthorized useof the telephone conferencing system or voice network, the computingsystem might initiate one or more first actions.

In some embodiments, the incoming call data might include, withoutlimitation, at least one of conference identification informationassociated with a conference bridge, timestamp of call origination byeach call-in party to the conference bridge, origination telephonenumber associated with each call-in party, geographic locationinformation associated with each call-in party, or line identifier(e.g., network line, conference line, media resource line, or the like)corresponding to connection between each call-in party and theconference bridge, and/or the like. In some cases, the outgoing calldata might include, but is not limited to, at least one of conferenceidentification information associated with a conference bridge,timestamp of call origination by each call-out party from the conferencebridge, destination telephone number associated with each destinationparty called by each call-out party, geographic location informationassociated with each call-out party, line identifier (e.g., networkline, conference line, media resource line, or the like) correspondingto connection between each destination party and the conference bridge,or telephone number associated with each call-out party, and/or thelike. In some instances, the call might be initiated by web control bythe at least one parties, and the identified at least one of incomingcall data or outgoing call data might include, without limitation, atleast one of conference identification information associated with aconference bridge, timestamp of call origination by each call-in partyto the conference bridge, timestamp of call origination by each call-outparty from the conference bridge, geographic location informationassociated with each call-in party, geographic location informationassociated with each call-out party, Internet protocol (“IP”) addressassociated with each call-in party, IP address associated with eachcall-out party, or WebSocket connection information, and/or the like.

According to some embodiments, identifying the at least one of theincoming call data or the outgoing call data associated with a callinitiated by the at least one party might comprise obtaining the atleast one of the incoming call data or the outgoing call data by atleast one of scraping an application log file associated with thetelephone conferencing system or voice network (not shown), using anapplication programming interface (“API”) between the computing systemand the telephone conferencing system or voice network 125 (not shown),or using a tracking service (not shown), and/or the like.

Merely by way of example, in some instances, determining whether thecall initiated by the at least one party constitutes at least one offraudulent use or unauthorized use of the telephone conferencing systemor voice network might comprise comparing the identified at least one ofincoming call data or outgoing call data with metadata, wherein themetadata might include, without limitation, at least one of accountidentifier associated with a user account with the telephoneconferencing system or voice network, a telephone number associated withan account owner associated with the user account, geographicinformation associated with the account owner, or contact informationassociated with the account owner, and/or the like.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise determining that the at least one party is anunauthorized user who is using a user account with the telephoneconferencing system or voice network for personal use or to sell tounsuspecting end-users, by at least one of determining that a personalidentification number (“PIN”) or leader code associated with the useraccount has been incorrectly entered more than a predetermined number oftimes (e.g., 5 times or 6 times, or the like; which is likely indicativeof “PIN scanning” by an offending party trying to guess at the PIN orleader code after having already identified a valid account, or thelike), determining that an origination telephone number associated withthe at least one party does not match a telephone number associated withan account owner associated with the user account, determining that theat least one party is calling from a location that is different fromgeographic location associated with the account owner, determining thatthe at least one party is calling from a location that has a knownpropensity for initiating fraudulent calls, or determining that at leastone of one or more destination parties is located in a foreign country,and/or the like. Any or all of these determinations may result in thecall being flagged for further investigation by the computing system orby a person(s) alerted by the computing system.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise one of determining that the at least one party is usingthe telephone conferencing system or voice network as a bulk callgenerator, determining that the at least one party is using thetelephone conferencing system or voice network as an originator ofrobocalls, or determining that the at least one party is using thetelephone conferencing system or voice network as part of a denial ofservice (“DoS”) attack, and/or the like, by at least one of determiningthat a number of out-dials from a single user account with the telephoneconferencing system or voice network exceeds a predetermined thresholdnumber of calls within a predetermined period, determining that the atleast one party is calling from a location that has a known propensityfor initiating fraudulent calls, determining that the at least one partyis located in a foreign country, or determining that at least one of oneor more destination parties is located in a foreign country, and/or thelike. Any or all of these determinations may result in the call beingflagged for further investigation by the computing system or by aperson(s) alerted by the computing system. For example, if the number oftimes of dial-out or call-out exceeds a threshold amount (e.g., 20 timesin one day, for instance, although not limited to such an amount), thesystem might flag the activity for further investigation by thecomputing system or by the person(s) alerted by the computing system. Amore sensitive threshold amount may be set for activity that is focusedon a single destination number or single destination party, or the like.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise determining that the at least one party is attempting tohide its identity or to hide direct communications by the at least oneparty, by at least one of determining that an origination telephonenumber associated with the at least one party does not match a telephonenumber associated with an account owner associated with the user accountor determining that the at least one party is calling from a locationthat is different from geographic location associated with the accountowner, or the like.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise determining that the at least one party is attempting tobypass long distance charges, by at least one of determining that anorigination telephone number associated with the at least one party doesnot match a telephone number associated with an account owner associatedwith the user account, determining that the at least one party iscalling from a location that is different from geographic locationassociated with the account owner, or determining that the call would besubject to long distance charges if initiated without using thetelephone conferencing system, and/or the like.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise utilizing at least one of an artificial intelligence(“AI”) system or a machine learning system, and/or the like, todetermine whether the call initiated by the at least one partyconstitutes at least one of fraudulent use or unauthorized use of thetelephone conferencing system or voice network.

In some embodiments, the one or more first actions might include, but isnot limited to, at least one of temporarily blocking a network trunk;escalating disablement of a network trunk; permanently blocking anetwork trunk; temporarily blocking an account with the telephoneconferencing system; escalating disablement of an account with thetelephone conferencing system; permanently blocking an account with thetelephone conferencing system; blocking one or more features of anaccount with the telephone conferencing system; changing routing of thecall to route through specialized equipment for monitoring or recordingthe call; changing routing of the call to route to a call center;changing routing of the call to route to a law enforcement facility;changing routing of the call to route to a message service; changingrouting of the call to route to an interactive voice response (“IVR”)system; changing routing of the call to terminate the call; sending analert regarding the call to at least one of an account owner, an accountmanager, a call center representative, or a law enforcementrepresentative (e.g., to user device(s) 160 associated with accountowner or manager(s) 165, to call center(s) 170, to law enforcementfacility 175, and/or the like); sending an e-mail message regarding thecall to at least one of an account owner, an account manager, a callcenter representative, or a law enforcement representative (e.g., touser device(s) 160 associated with account owner or manager(s) 165, tocall center(s) 170, to law enforcement facility 175, and/or the like);sending a short message service (“SMS”) message regarding the call to atleast one of an account owner, an account manager, a call centerrepresentative, or a law enforcement representative (e.g., to userdevice(s) 160 associated with account owner or manager(s) 165, to callcenter(s) 170, to law enforcement facility 175, and/or the like);sending a text message regarding the call to at least one of an accountowner, an account manager, a call center representative, or a lawenforcement representative (e.g., to user device(s) 160 associated withaccount owner or manager(s) 165, to call center(s) 170, to lawenforcement facility 175, and/or the like); initiating a telephone callregarding the call to at least one of an account owner, an accountmanager, a call center representative, or a law enforcementrepresentative (e.g., to user device(s) 160 associated with accountowner or manager(s) 165, to call center(s) 170, to law enforcementfacility 175, and/or the like); or logging information regarding thecall to a log file or a database system; and/or the like.

In some cases, at least one of the alert, the e-mail message, the SMSmessage, the text message, or the telephone call, and/or the like, mightcomprise at least one of an option to block access to the account by theat least one party, an option to change account credentials associatedwith the account, an option to contact the account owner, or an optionto disconnect the call, based at least in part on a determination thatthe call is deemed by the at least one of the account owner, the accountmanager, the call center representative, or the law enforcementrepresentative to be at least one of fraudulent use or unauthorized useof the telephone conferencing system or voice network, and/or the like.In some instances, blocking an entire network (whether temporarily, inan escalated manner, or permanently) may be applicable if a significantamount of fraudulent or unauthorized use is detected on the networktrunk (e.g., more than 100 such uses per day, or more, for instance,although not limited to such amount). In some cases, if activity isisolated to a particular user account with the telephone conferencesystem or voice network, the account may be disabled (whethertemporarily, in an escalated manner, or permanently) or credentialschanged to prevent future fraudulent or unauthorized usage. In someinstances, if activity is isolated to particular features of a user'saccount (e.g., dial-out permission), that account may be modified tolock out or revoke that feature to prevent future unauthorized usage, orthe like. In some cases, the logged information can be used forreporting, alarming, investigating, learning, and/or even predictingfuture fraudulent usage (perhaps in conjunction with use of the AIsystem(s) 155 or the like). In some embodiments, by tracking the lasttime that an account was used, it is possible for the computing systemto raise the sensitivity of monitoring parameters if a conference bridgeis used for the first time after a long period of non-use. By trackingif an account has definitely been affected by fraudulent or unauthorizeduse, additional measures may be taken to alert the account owner oraccount manager 165 of current activity on his, her, or their account.

According to some embodiments, alternative or additional to theoperations described above, the computing system might log informationregarding the call to a log file or a database system (e.g., database(s)140 a, database(s) 140 b, logging system(s) 150 a, logging system(s) 150b, and/or the like). The computing system might analyze the loggedinformation to generate historical data associated with one or more ofthe at least one party, an account with the telephone conferencingsystem or voice network that is used by the at least one party toinitiate the call, a conference bridge used by the at least oneoriginating party 110 to initiate the call, at least one destinationparty 120 connected by the call, or at least one location associatedwith each party, and/or the like. The computing system might determineone or more weighted measures associated with each generated historicaldata, and might generate a score based on the historical data and theone or more weighted measures, the score being representative of aprobability or likelihood of fraudulent use or unauthorized use. In suchembodiments, determining whether the call initiated by the at least oneparty constitutes at least one of fraudulent use or unauthorized use ofthe telephone conferencing system or voice network might comprisedetermining whether the call initiated by the at least one partyconstitutes at least one of fraudulent use or unauthorized use of thetelephone conferencing system or voice network based at least in part onthe generated score.

In the various embodiments, the activity data that is monitored,tracked, or logged might include real-time data that gives pertinentinformation about activity in the telephone conference system or voicenetwork 125. Such data might include, without limitation, conferencedata (including, but not limited to, conference identifier, timestamp,event start, event end, initiator information (e.g., phone sessioninitiated, VoIP session initiated, web session initiated, firstparticipant has arrived, last participant has left, chairperson orleader has arrived, chairperson or leader has left, etc.), and/or thelike), audio line data (including, but not limited to, conferenceidentifier, line identifier (e.g., network line, conference line, mediaresource line, or the like), far-end number (e.g., outbound—dialednumber, inbound—caller ID, etc.), direction of call, initiator (e.g.,inbound call, outbound call (originated via DTMF), outbound call—websession initiated (API), outbound call—initiated by operator, etc.),and/or the like), or web data (including, but not limited to, conferenceidentifier, timestamp, source IP address, event type (e.g., connectionestablished, session disconnected, conference start, conference end,outbound dial, disconnect line, etc.), and/or the like), and/or thelike.

In some embodiments, a trunking bridge might be provided between the atleast one party and the telephone conferencing system or voice network(as shown in the non-limiting embodiment of FIG. 3 , or the like). Insuch embodiments, the trunking bridge might include, without limitation,one of a public switched telephone network (“PSTN”) trunking bridge, anintegrated services digital network (“ISDN) trunking bridge, a voiceover Internet protocol (“VoIP”) trunking bridge, or a session initiationprotocol (“SIP”) trunking bridge, and/or the like. The use of thetrunking bridge may facilitate monitoring call activity and/orinitiation of the actions listed above.

These and other functions of the system 100 (and its components) aredescribed in greater detail below with respect to FIGS. 2-4 .

FIGS. 2A-2C (collectively, “FIG. 2 ”) are schematic diagramsillustrating various non-limiting examples 200, 200′, or 200″ ofconfigurations for telephone conferencing for which fraudulent orunauthorized use monitoring and detection may be implemented, inaccordance with various embodiments. FIG. 2A depicts an example 200 inwhich all parties call into a conference bridge of a telephoneconference system or voice network, while FIG. 2B depicts an example200′ in which more than one party calls into a conference bridge of atelephone conference system or voice network and one of the call-inparties calls out to one or more destination parties from the conferencebridge, and FIG. 2C depicts an example 200″ in which only one partycalls into a conference bridge of a telephone conference system or voicenetwork and calls out to one or more destination parties from theconference bridge. Although the examples of FIGS. 2A-2C may representlegitimate uses of the telephone conference system or voice network,these examples may also represent configurations in which fraudulent orunauthorized use of the telephone conference system or voice network mayarise.

With reference to FIG. 2A, an example 200 of a configuration fortelephone conferencing might comprise two or more calling device 205(each including, but not limited to, at least one of a telephone 205 a,a smart phone 205 b, a mobile phone 205 c, a tablet computer (notshown), a laptop computer (not shown), a wearable device (not shown), orthe like) that are associated with or used by corresponding one or morecall-in parties 210 a-210 d (collectively, “call-in parties 210” or thelike) to initiate, or participate in, a conference call using telephoneconference system or voice network 225 via one or more networks 230(similar to network(s) 130 of FIG. 1 , or the like). In particular, eachcall-in party 210 a-210 d might dial into or call into a conferencebridge 245 provided by the telephone conference system or voice network225 using a corresponding calling device 205 (as depicted in FIG. 2A bythe arrows pointing from each calling device 215 to the conferencebridge 245 through network(s) 230). A computing system 235 (andcorresponding database(s) 240) might monitor the call activities of thecall-in parties 210 a-210 d using the telephone conference system orvoice network 225 by monitoring the network(s) 230 and tracking callconnections between each calling device 205 associated withcorresponding call-in party 210 a-210 d and the conference bridge 245.This example configuration 200 is subject to, or susceptible to,fraudulent or unauthorized use of the telephone conference system orvoice network 225 when one of the call-in parties 210 or a third party(not shown) provides dial-in details (e.g., conference access number,conference access code, and/or conference chairperson or leader code orpersonal identification number (“PIN”), or the like) to the othercall-in parties 210 while suggesting or promising that the other call-inparties 210 can avoid long distance or other telephone charges, or whiletrying to convince (or deceive) the other call-in parties 210 that theyare purchasing or using “pre-paid” conference services or “pre-paid”calling cards, when the one of the call-in parties 210 or the thirdparty is not authorized to provide the other call-in parties 210 withaccess to use to the telephone conference system or voice network 225.This example configuration 200 is also (or alternatively) subject to, orsusceptible to, fraudulent or unauthorized use of the telephoneconference system or voice network 225 when one or more of the call-inparties 210 a-210 d use the conference bridge 245 or the telephoneconference system or voice network 225 to try to obfuscate or hide theiridentity or to add a layer of indirection in an attempt to slow orconfuse monitoring systems (e.g., law enforcement or other entities)especially when using an account with the telephone conference system orvoice network 225 that is not owned by any of them.

Turning to FIG. 2B, an example 200′ of a configuration for telephoneconferencing might comprise two or more calling device 205 (eachincluding, but not limited to, at least one of a telephone 205 a, asmart phone 205 b, a mobile phone 205 c, a tablet computer (not shown),a laptop computer (not shown), a wearable device (not shown), or thelike) that are associated with or used by corresponding one or morecall-in parties 210 a-210 b (collectively, “call-in parties 210” or thelike) to initiate, or participate in, a conference call using telephoneconference system or voice network 225 via one or more networks 230(similar to network(s) 130 of FIG. 1 , or the like). At least one of thecall-in parties 210 (in this case, call-in party 210 a) might alsocall-out from the telephone conference system or voice network 225, vianetwork(s) 230, to one or more called devices 215 (each including, butnot limited to, at least one of a telephone 215 a, a smart phone 215 b,a mobile phone 215 c, a tablet computer (not shown), a laptop computer(not shown), a wearable device (not shown), or the like) that areassociated with or used by corresponding one or more destination parties220 a-220 b (collectively, “destination parties 220” or the like). Inparticular, each call-in party 210 might dial into or call into aconference bridge 245 provided by the telephone conference system orvoice network 225 using a corresponding calling device 205, while atleast one call-in party 210 might also call-out to each called device215 associated with or used by each corresponding destination party 220a-220 b (as depicted in FIG. 2B by the arrows pointing from each callingdevice 215 to the conference bridge 245 through network(s) 230 and thearrows pointing from the conference bridge 245 through network(s) 230 toeach called device 215). A computing system 235 (and correspondingdatabase(s) 240) might monitor the call activities of the call-inparties 210 a-210 b and the destination parties 220 a-220 b using thetelephone conference system or voice network 225 by monitoring thenetwork(s) 230 and tracking call connections between each calling device205 associated with corresponding call-in party 210 a-210 b and theconference bridge 245 and between the conference bridge 245 and eachcalled device 215 associated with corresponding destination party 220a-220 b.

This example configuration 200′ is subject to, or susceptible to,fraudulent or unauthorized use of the telephone conference system orvoice network 225 when one of the call-in parties 210 or a third party(not shown) provides dial-in details (e.g., conference access number,conference access code, and/or conference chairperson or leader code orpersonal identification number (“PIN”), or the like) to the othercall-in parties 210 while suggesting or promising that the other call-inparties 210 can avoid long distance or other telephone charges, or whiletrying to convince (or deceive) the other call-in parties 210 that theyare purchasing or using “pre-paid” conference services or “pre-paid”calling cards, when the one of the call-in parties 210 or the thirdparty is not authorized to provide the other call-in parties 210 withaccess to use to the telephone conference system or voice network 225.This example configuration 200′ is also (or alternatively) subject to,or susceptible to, fraudulent or unauthorized use of the telephoneconference system or voice network 225 when one of the call-in parties210 or a third party (not shown) suggests or promises that anothercall-in party 210 can avoid long distance or other telephone chargeswhen calling out to one or more destination parties 220, or while tryingto convince (or deceive) the other call-in parties 210 that they arepurchasing or using “pre-paid” conference services or “pre-paid” callingcards, or the like. This example configuration 200′ is also (oralternatively) subject to, or susceptible to, fraudulent or unauthorizeduse of the telephone conference system or voice network 225 when one ormore of the call-in parties 210 and/or the destination parties 220 usethe conference bridge 245 or the telephone conference system or voicenetwork 225 to try to obfuscate or hide their identity or to add a layerof indirection in an attempt to slow or confuse monitoring systems(e.g., law enforcement or other entities) especially when using anaccount with the telephone conference system or voice network 225 thatis not owned by any of them.

Referring to FIG. 2C, an example 200″ of a configuration for telephoneconferencing might comprise only one calling device 205 (each including,but not limited to, at least one of a telephone 205 a, a smart phone 205b, a mobile phone 205 c, a tablet computer (not shown), a laptopcomputer (not shown), a wearable device (not shown), or the like) thatis associated with or used by a corresponding call-in party 210 toinitiate, or participate in, a conference call using telephoneconference system or voice network 225 via one or more networks 230(similar to network(s) 130 of FIG. 1 , or the like). The one or singlecall-in party 210 (in this case, call-in party 210 a) might alsocall-out from the telephone conference system or voice network 225, vianetwork(s) 230, to one or more called devices 215 (each including, butnot limited to, at least one of a telephone 215 a, a smart phone 215 b,a mobile phone 215 c, a tablet computer (not shown), a laptop computer(not shown), a wearable device (not shown), or the like) that areassociated with or used by corresponding one or more destination parties220 a-220 c (collectively, “destination parties 220” or the like). Inparticular, the single call-in party 210 a might dial into or call intoa conference bridge 245 provided by the telephone conference system orvoice network 225 using a corresponding calling device 205, while alsocalling out to each called device 215 associated with or used by eachcorresponding destination party 220 a-220 c (as depicted in FIG. 2C bythe arrow pointing from the calling device 215 of call-in party 210 a tothe conference bridge 245 through network(s) 230 and the arrows pointingfrom the conference bridge 245 through network(s) 230 to each calleddevice 215). A computing system 235 (and corresponding database(s) 240)might monitor the call activities of the call-in party 210 a and thedestination parties 220 a-220 c using the telephone conference system orvoice network 225 by monitoring the network(s) 230 and tracking callconnections between calling device 205 associated with correspondingcall-in party 210 a and the conference bridge 245 and between theconference bridge 245 and each called device 215 associated withcorresponding destination party 220 a-220 c.

This example configuration 200″ is subject to, or susceptible to,fraudulent or unauthorized use of the telephone conference system orvoice network 225 when a third party (not shown) provides dial-indetails (e.g., conference access number, conference access code, and/orconference chairperson or leader code or personal identification number(“PIN”), or the like) to the single call-in party 210 a while suggestingor promising that the call-in party 210 a can avoid long distance orother telephone charges, or while trying to convince (or deceive) thecall-in party 210 a that he, she, or they are purchasing or using“pre-paid” conference services or “pre-paid” calling cards, when thethird party is not authorized to provide the call-in party 210 a withaccess to use to the telephone conference system or voice network 225.This example configuration 200″ is also (or alternatively) subject to,or susceptible to, fraudulent or unauthorized use of the telephoneconference system or voice network 225 when the single call-in party 210a: (a) uses the conference bridge 245 or the telephone conference systemor voice network 225 as his, her, or their personal toll-free telephonesystem or conference system; (b) uses the conference bridge 245 or thetelephone conference system or voice network 225 to try to obfuscate orhide his, her, or their identity or to add a layer of indirection in anattempt to slow or confuse monitoring systems (e.g., law enforcement orother entities) especially when using an account with the telephoneconference system or voice network 225 that is not owned by him, her, orthem; (c) uses the conference bridge 245 or the telephone conferencesystem or voice network 225 to make bulk calls or robocalls; (d) usesthe conference bridge 245 or the telephone conference system or voicenetwork 225 as part of a denial of service (“DoS”) attack; or (e) usesthe conference bridge 245 or the telephone conference system or voicenetwork 225 to make long-distance to avoid paying long-distance chargesor other telephone charges.

The calling devices 205, the call-in parties 210, the called devices215, the destination parties 220, the telephone conference system orvoice network 225, the network(s) 230, the computing system 235, thedatabase(s) 240, and the conference bridge 245 of FIGS. 2A-2C areotherwise similar, if not identical, to the calling devices 105, theoriginating parties 110, the called devices 115, the destination parties120, the telephone conference system or voice network 125, thenetwork(s) 130 a-130 n, the computing system 135 a or 135 b, thedatabase(s) 140 a or 140 b, and the conference bridges 145 a-145 n ofFIGS. 1 , and the descriptions of these components of the telephoneconference configurations shown in FIGS. 2A-2C are applicable to thecorresponding components of system 100, respectively.

FIG. 3 is a schematic diagram illustrating a non-limiting example 300 ofuse of a trunking bridge for a telephone conference system or voicenetwork for which fraudulent or unauthorized use monitoring anddetection may be implemented, in accordance with various embodiments.Although FIG. 3 depicts a telephone conference configuration that issimilar to that of example 200″ of FIG. 2C, the various embodiments arenot so limited and the use of the trunking bridge (as shown in FIG. 3 )may be applicable to the telephone conference configuration example 200of FIG. 2A, the telephone conference configuration example 200′ of FIG.2B, or other telephone conference configuration examples (not shown), orthe like.

In the non-limiting embodiment of FIG. 3 , an example 300 of aconfiguration for monitoring telephone conferencing might comprise asingle calling device 305 (each including, but not limited to, at leastone of a telephone 305 a, a smart phone 305 b, a mobile phone 305 c, atablet computer (not shown), a laptop computer (not shown), a wearabledevice (not shown), or the like) that is associated with or used by acorresponding call-in party 310 to initiate, or participate in, aconference call using telephone conference system or voice network 325via one or more networks 330 (similar to network(s) 130 of FIG. 1 , orthe like). As indicated above, the various embodiments of the telephoneconference monitoring are not limited to a telephone conferenceconfiguration in which a single calling device 305 or single call-inparty 310 calling into the telephone conference system or voice network,and may be applicable to more than one calling device 305 or call-inparty 310 calling into the telephone conference system or voice network.The single call-in party 310 (in this case, call-in party 310 a) mightalso call-out from the telephone conference system or voice network 325,via network(s) 330, to one or more called devices 315 (each including,but not limited to, at least one of a telephone 315 a, a smart phone 315b, a mobile phone 315 c, a tablet computer (not shown), a laptopcomputer (not shown), a wearable device (not shown), or the like) thatare associated with or used by corresponding one or more destinationparties 320 a-220 c (collectively, “destination parties 320” or thelike). In particular, the single call-in party 310 a might dial into orcall into a conference bridge 345 provided by the telephone conferencesystem or voice network 325 using a corresponding calling device 305,while also calling out to each called device 315 associated with or usedby each corresponding destination party 320 a-220 c.

Compared with the configurations as shown is FIGS. 1 and 2A-2C, amonitoring system 380 might be disposed between each calling device 305or called device 315 and the conference bridge 345 or telephoneconference system or voice network 325. Specifically, a trunking bridge385 of the monitoring system 380 might be disposed between each callingdevice 305 or called device 315 and the conference bridge 345 ortelephone conference system or voice network 325, where all incomingcalls to the conference bridge 345 or telephone conference system orvoice network 325 are first received by the trunking bridge 385, whichthen relays the incoming calls to the conference bridge 345 or telephoneconference system or voice network 325, and where all outgoing callsfrom the conference bridge 345 or telephone conference system or voicenetwork 325 are first received by the trunking bridge 385, which thenrelays the outgoing calls to the called devices 315 associate with orused by each destination party 320 a-320 c (as depicted in FIG. 3 by thearrow pointing from the calling device 315 of call-in party 310 a to thetrunking bridge 385 of monitoring system 380 through network(s) 330, andthe arrows pointing from the trunking bridge 385 through network(s) 330to each called device 315, with a double-headed arrow pointing betweenthe trunking bridge 385 and the conference bridge 345). In someembodiments, the trunking bridge 385 might include, without limitation,one of a public switched telephone network (“PSTN”) trunking bridge, anintegrated services digital network (“ISDN) trunking bridge, a voiceover Internet protocol (“VoIP”) trunking bridge, or a session initiationprotocol (“SIP”) trunking bridge, and/or the like.

According to some embodiments, the monitoring system 380 might furthercomprise computing system 335 and corresponding database(s) 340, one ormore logging systems 350 (optional), one or more artificial intelligence(“AI”) systems 355 (optional), and an interactive voice response (“IVR”)system 390 (optional), or the like, in addition to the trunking bridge385. Herein, although some components of monitoring system 380 areindicated as being optional while others are not, this is merely for theparticular embodiment as shown, and, in other embodiments, one or moreof the former set of components (or components indicated as being“optional”) may be required while one or more of the latter set ofcomponents (or components not indicated as being “optional”) may in factbe optional.

The computing system 335 (in some cases, in conjunction with use of theAI systems 355) might monitor the call activities of the call-in party310 a and the destination parties 320 a-220 c using the telephoneconference system or voice network 325 by monitoring the network(s) 330and tracking call connections through the trunking bridge 385 betweencalling device 305 associated with corresponding call-in party 310 a andthe conference bridge 345 and between the conference bridge 345 and eachcalled device 315 associated with corresponding destination party 320a-220 c. The call activity monitored by the computing system 335 throughthe trunking bridge 385 either might be stored in database(s) 340 and/ormight be logged by logging system(s) 350. In some cases, actionsinitiated by computing system 335, in response to determining thatfraudulent or unauthorized use of the telephone conference system orvoice network 325 has been detected, might include routing one or moreoffending parties 310 or 320 to IVR system 390 to obtain additionalinformation regarding the offending parties and/or to confirm fraudulentor unauthorized use of the telephone conference system or voice network325 by the one or more offending parties.

Other actions initiated by computing system 335, in response todetermining that fraudulent or unauthorized use of the telephoneconference system or voice network 325 has been detected, might, but arenot limited to, at least one of temporarily blocking a network trunk;escalating disablement of a network trunk; permanently blocking anetwork trunk; temporarily blocking an account with the telephoneconferencing system; escalating disablement of an account with thetelephone conferencing system; permanently blocking an account with thetelephone conferencing system; blocking one or more features of anaccount with the telephone conferencing system; changing routing of thecall to route through specialized equipment for monitoring or recordingthe call; changing routing of the call to route to a call center;changing routing of the call to route to a law enforcement facility;changing routing of the call to route to a message service; changingrouting of the call to terminate the call; sending an alert regardingthe call to at least one of an account owner, an account manager, a callcenter representative, or a law enforcement representative; sending ane-mail message regarding the call to at least one of an account owner,an account manager, a call center representative, or a law enforcementrepresentative; sending a short message service (“SMS”) messageregarding the call to at least one of an account owner, an accountmanager, a call center representative, or a law enforcementrepresentative; sending a text message regarding the call to at leastone of an account owner, an account manager, a call centerrepresentative, or a law enforcement representative; initiating atelephone call regarding the call to at least one of an account owner,an account manager, a call center representative, or a law enforcementrepresentative; or logging information regarding the call to a log fileor a database system (e.g., database 340 and/or logging system(s) 350,or the like); and/or the like. The use of the trunking bridge 385 mayfacilitate monitoring call activity and/or initiation of the actionslisted above.

The calling device 305, the call-in party 310, the called devices 315,the destination parties 320, the telephone conference system or voicenetwork 325, the network(s) 330, the computing system 335, thedatabase(s) 340, the conference bridge 345, the one or more loggingsystems 350, and the AI systems 355 of FIG. 3 are otherwise similar, ifnot identical, to the calling devices 105, the originating parties 110,the called devices 115, the destination parties 120, the telephoneconference system or voice network 125, the network(s) 130 a-130 n, thecomputing system 135 a or 135 b, the database(s) 140 a or 140 b, theconference bridges 145 a-145 n, the one or more logging systems 150, andthe AI systems 155 of FIGS. 1 , and the descriptions of these componentsof the telephone conference configurations shown in FIG. 3 areapplicable to the corresponding components of system 100, respectively.

FIGS. 4A-4E (collectively, “FIG. 4 ”) are flow diagrams illustrating amethod 400 for implementing monitoring and detection of fraudulent orunauthorized use in telephone conferencing systems or voice networks, inaccordance with various embodiments.

While the techniques and procedures are depicted and/or described in acertain order for purposes of illustration, it should be appreciatedthat certain procedures may be reordered and/or omitted within the scopeof various embodiments. Moreover, while the method 400 illustrated byFIG. 4 can be implemented by or with (and, in some cases, are describedbelow with respect to) the systems, examples, or embodiments 100, 200,200′, 200″, and 300 of FIGS. 1, 2A, 2B, 2C, and 3 , respectively (orcomponents thereof), such methods may also be implemented using anysuitable hardware (or software) implementation. Similarly, while each ofthe systems, examples, or embodiments 100, 200, 200′, 200″, and 300 ofFIGS. 1, 2A, 2B, 2C, and 3 , respectively (or components thereof), canoperate according to the method 400 illustrated by FIG. 4 (e.g., byexecuting instructions embodied on a computer readable medium), thesystems, examples, or embodiments 100, 200, 200′, 200″, and 300 of FIGS.1, 2A, 2B, 2C, and 3 can each also operate according to other modes ofoperation and/or perform other suitable procedures.

In the non-limiting embodiment of FIG. 4A, method 400, at optional block405, might comprise providing a trunking bridge between at least oneparty and a telephone conferencing system or voice network. In someembodiments, the trunking bridge might include, without limitation, oneof a public switched telephone network (“PSTN”) trunking bridge, anintegrated services digital network (“ISDN) trunking bridge, a voiceover Internet protocol (“VoIP”) trunking bridge, or a session initiationprotocol (“SIP”) trunking bridge, and/or the like.

At block 410, method 400 might comprise monitoring, with a computingsystem, call activity through the telephone conferencing system or voicenetwork. Method 400 might further comprise, in response to detecting useof the telephone conferencing system or voice network by the at leastone party based on the monitored call activity, identifying, with thecomputing system, at least one of incoming call data or outgoing calldata associated with a call initiated by the at least one party (block415).

Method 400 might further comprise, at block 420, analyzing, with thecomputing system, the identified at least one of incoming call data oroutgoing call data to determine whether the call initiated by the atleast one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice network.Method 400, at block 425, might comprise, based on a determination thatthe call initiated by the at least one party constitutes at least one offraudulent use or unauthorized use of the telephone conferencing systemor voice network, initiating, with the computing system, one or morefirst actions. In some cases, the trunking bridge (as provided at block405) might facilitate monitoring call activity (at block 410) and/orinitiation of the one or more first actions (at block 425).

In some embodiments, the incoming call data might include, but is notlimited to, at least one of conference identification informationassociated with a conference bridge, timestamp of call origination byeach call-in party to the conference bridge, origination telephonenumber associated with each call-in party, geographic locationinformation associated with each call-in party, or line identifiercorresponding to connection between each call-in party and theconference bridge, and/or the like. In some cases, the outgoing calldata might include, without limitation, at least one of conferenceidentification information associated with a conference bridge,timestamp of call origination by each call-out party from the conferencebridge, destination telephone number associated with each destinationparty called by each call-out party, geographic location informationassociated with each call-out party, line identifier corresponding toconnection between each destination party and the conference bridge, ortelephone number associated with each call-out party, and/or the like.In some instances, the call might be initiated by web control, and theidentified at least one of incoming call data or outgoing call datamight include, but is not limited to, at least one of conferenceidentification information associated with a conference bridge,timestamp of call origination by each call-in party to the conferencebridge, timestamp of call origination by each call-out party from theconference bridge, geographic location information associated with eachcall-in party, geographic location information associated with eachcall-out party, Internet protocol (“IP”) address associated with eachcall-in party, IP address associated with each call-out party, orWebSocket connection information, and/or the like.

With reference to FIG. 4B, which provides an alternative or additionalimplementation, method 400 might further comprise, at block 430,logging, with the computing system, information regarding the call to alog file or a database system. At block 435, method 400 might compriseanalyzing, with the computing system, the logged information to generatehistorical data associated with one or more of the at least one party,an account with the telephone conferencing system or voice network thatis used by the at least one party to initiate the call, a conferencebridge used by the at least one party to initiate the call, at least onedestination party connected by the call, or at least one locationassociated with each party. Method 400, at block 440, might comprisedetermining, with the computing system, one or more weighted measuresassociated with each generated historical data. Method 400 might furthercomprise, at block 445, generating, with the computing system, a scorebased on the historical data and the one or more weighted measures, thescore being representative of a probability of fraudulent use orunauthorized use. Method 400 might further comprise determining whetherthe call initiated by the at least one party constitutes at least one offraudulent use or unauthorized use of the telephone conferencing systemor voice network based at least in part on the generated score (block420′) and, based on a determination that the call initiated by the atleast one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice network,initiating, with the computing system, one or more first actions (block425′).

Turning to FIG. 4C, identifying the at least one of the incoming calldata or the outgoing call data associated with a call initiated by theat least one party (at block 415) might comprise at least one ofobtaining the at least one of the incoming call data or the outgoingcall data by scraping an application log file associated with thetelephone conferencing system or voice network (block 450), obtainingthe at least one of the incoming call data or the outgoing call data byusing an application programming interface (“API”) between the computingsystem and the telephone conferencing system or voice network (block455), or obtaining the at least one of the incoming call data or theoutgoing call data using a tracking service (block 460), and/or thelike.

Referring to FIG. 4D, determining whether the call initiated by the atleast one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice network(at block 420 or 420′) might comprise comparing the identified at leastone of incoming call data or outgoing call data with metadata (block465), where the metadata might include, without limitation, at least oneof account identifier associated with a user account with the telephoneconferencing system or voice network, a telephone number associated withan account owner associated with the user account, geographicinformation associated with the account owner, or contact informationassociated with the account owner, and/or the like. Alternatively, oradditionally, determining whether the call initiated by the at least oneparty constitutes at least one of fraudulent use or unauthorized use ofthe telephone conferencing system or voice network (at block 420 or420′) might comprise determining that the at least one party is anunauthorized user who is using a user account with the telephoneconferencing system or voice network for personal use or to sell tounsuspecting end-users (block 470), by at least one of determining thata personal identification number (“PIN”) or leader code associated withthe user account has been incorrectly entered more than a predeterminednumber of times, determining that an origination telephone numberassociated with the at least one party does not match a telephone numberassociated with an account owner associated with the user account,determining that the at least one party is calling from a location thatis different from geographic location associated with the account owner,determining that the at least one party is calling from a location thathas a known propensity for initiating fraudulent calls, or determiningthat at least one of one or more destination parties is located in aforeign country, and/or the like.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice network(at block 420 or 420′) might comprise determining that the at least oneparty is using the telephone conferencing system or voice network as abulk call generator, determining that the at least one party is usingthe telephone conferencing system or voice network as an originator ofrobocalls, or determining that the at least one party is using thetelephone conferencing system or voice network as part of a denial ofservice (“DoS”) attack (block 475), by at least one of determining thata number of out-dials from a single user account with the telephoneconferencing system or voice network exceeds a predetermined thresholdnumber of calls within a predetermined period, determining that the atleast one party is calling from a location that has a known propensityfor initiating fraudulent calls, determining that the at least one partyis located in a foreign country, or determining that at least one of oneor more destination parties is located in a foreign country, and/or thelike. Alternatively, or additionally, determining whether the callinitiated by the at least one party constitutes at least one offraudulent use or unauthorized use of the telephone conferencing systemor voice network (at block 420 or 420′) might comprise determining thatthe at least one party is attempting to hide its identity or to hidedirect communications by the at least one party (block 480), by at leastone of determining that an origination telephone number associated withthe at least one party does not match a telephone number associated withan account owner associated with the user account or determining thatthe at least one party is calling from a location that is different fromgeographic location associated with the account owner, and/or the like.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice network(at block 420 or 420′) might comprise determining that the at least oneparty is attempting to bypass long distance charges (block 485), by atleast one of determining that an origination telephone number associatedwith the at least one party does not match a telephone number associatedwith an account owner associated with the user account, determining thatthe at least one party is calling from a location that is different fromgeographic location associated with the account owner, or determiningthat the call would be subject to long distance charges if initiatedwithout using the telephone conferencing system, and/or the like.Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice network(at block 420 or 420′) might comprise utilizing at least one of anartificial intelligence (“AI”) system or a machine learning system todetermine whether the call initiated by the at least one partyconstitutes at least one of fraudulent use or unauthorized use of thetelephone conferencing system or voice network (block 490).

With reference to FIG. 4E, initiating, with the computing system, one ormore first actions (at block 425) might comprise at least one of:temporarily blocking a network trunk (block 495 a); escalatingdisablement of a network trunk (block 495 b); permanently blocking anetwork trunk (block 495 c); temporarily blocking an account with thetelephone conferencing system (block 495 d); escalating disablement ofan account with the telephone conferencing system (block 495 e);permanently blocking an account with the telephone conferencing system(block 495 f); blocking one or more features of an account with thetelephone conferencing system (block 495 g); changing routing of thecall to route through specialized equipment for monitoring or recordingthe call (block 495 h); changing routing of the call to route to a callcenter (block 495 i); changing routing of the call to route to a lawenforcement facility (block 495 j); changing routing of the call toroute to a message service (block 495 k); changing routing of the callto route to an interactive voice response (“IVR”) system (block 495 l);changing routing of the call to terminate the call (block 495 m);sending alert(s), sending message(s), or initiating call(s) toauthorized parties regarding the call (block 495 n); or logginginformation regarding the call to a log file or a database system (block495 o); and/or the like.

In some cases, sending alert(s), sending message(s), or initiatingcall(s) to authorized parties regarding the call might comprise at leastone of sending an alert regarding the call to at least one of an accountowner, an account manager, a call center representative, or a lawenforcement representative; sending an e-mail message regarding the callto at least one of an account owner, an account manager, a call centerrepresentative, or a law enforcement representative; sending a shortmessage service (“SMS”) message regarding the call to at least one of anaccount owner, an account manager, a call center representative, or alaw enforcement representative; sending a text message regarding thecall to at least one of an account owner, an account manager, a callcenter representative, or a law enforcement representative; initiating atelephone call regarding the call to at least one of an account owner,an account manager, a call center representative, or a law enforcementrepresentative; and/or the like.

In some instances, at least one of the alert, the e-mail message, theSMS message, the text message, or the telephone call might comprise atleast one of an option to block access to the account by the at leastone party, an option to change account credentials associated with theaccount, an option to contact the account owner, or an option todisconnect the call, and/or the like, based at least in part on adetermination that the call is deemed by the at least one of the accountowner, the account manager, the call center representative, or the lawenforcement representative to be at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice network.

Exemplary System and Hardware Implementation

FIG. 5 is a block diagram illustrating an exemplary computer or systemhardware architecture, in accordance with various embodiments. FIG. 5provides a schematic illustration of one embodiment of a computer system500 of the service provider system hardware that can perform the methodsprovided by various other embodiments, as described herein, and/or canperform the functions of computer or hardware system (i.e., computingsystems 135 a, 135 b, 235, and 335, logging systems 150 a, 150 b, and350, artificial intelligence (“AI”) systems 155 and 355, and interactivevoice response (“IVR”) system 390, etc.), as described above. It shouldbe noted that FIG. 5 is meant only to provide a generalized illustrationof various components, of which one or more (or none) of each may beutilized as appropriate. FIG. 5 , therefore, broadly illustrates howindividual system elements may be implemented in a relatively separatedor relatively more integrated manner.

The computer or hardware system 500—which might represent an embodimentof the computer or hardware system (i.e., computing systems 135 a, 135b, 235, and 335, logging systems 150 a, 150 b, and 350, AI systems 155and 355, and IVR system 390, etc.), described above with respect toFIGS. 1-4 —is shown comprising hardware elements that can beelectrically coupled via a bus 505 (or may otherwise be incommunication, as appropriate). The hardware elements may include one ormore processors 510, including, without limitation, one or moregeneral-purpose processors and/or one or more special-purpose processors(such as microprocessors, digital signal processing chips, graphicsacceleration processors, and/or the like); one or more input devices515, which can include, without limitation, a mouse, a keyboard, and/orthe like; and one or more output devices 520, which can include, withoutlimitation, a display device, a printer, and/or the like.

The computer or hardware system 500 may further include (and/or be incommunication with) one or more storage devices 525, which can comprise,without limitation, local and/or network accessible storage, and/or caninclude, without limitation, a disk drive, a drive array, an opticalstorage device, solid-state storage device such as a random accessmemory (“RAM”) and/or a read-only memory (“ROM”), which can beprogrammable, flash-updateable, and/or the like. Such storage devicesmay be configured to implement any appropriate data stores, including,without limitation, various file systems, database structures, and/orthe like.

The computer or hardware system 500 might also include a communicationssubsystem 530, which can include, without limitation, a modem, a networkcard (wireless or wired), an infra-red communication device, a wirelesscommunication device and/or chipset (such as a Bluetooth™ device, an802.11 device, a WiFi device, a WiMax device, a WWAN device, cellularcommunication facilities, etc.), and/or the like. The communicationssubsystem 530 may permit data to be exchanged with a network (such asthe network described below, to name one example), with other computeror hardware systems, and/or with any other devices described herein. Inmany embodiments, the computer or hardware system 500 will furthercomprise a working memory 535, which can include a RAM or ROM device, asdescribed above.

The computer or hardware system 500 also may comprise software elements,shown as being currently located within the working memory 535,including an operating system 540, device drivers, executable libraries,and/or other code, such as one or more application programs 545, whichmay comprise computer programs provided by various embodiments(including, without limitation, hypervisors, VMs, and the like), and/ormay be designed to implement methods, and/or configure systems, providedby other embodiments, as described herein. Merely by way of example, oneor more procedures described with respect to the method(s) discussedabove might be implemented as code and/or instructions executable by acomputer (and/or a processor within a computer); in an aspect, then,such code and/or instructions can be used to configure and/or adapt ageneral purpose computer (or other device) to perform one or moreoperations in accordance with the described methods.

A set of these instructions and/or code might be encoded and/or storedon a non-transitory computer readable storage medium, such as thestorage device(s) 525 described above. In some cases, the storage mediummight be incorporated within a computer system, such as the system 500.In other embodiments, the storage medium might be separate from acomputer system (i.e., a removable medium, such as a compact disc,etc.), and/or provided in an installation package, such that the storagemedium can be used to program, configure, and/or adapt a general purposecomputer with the instructions/code stored thereon. These instructionsmight take the form of executable code, which is executable by thecomputer or hardware system 500 and/or might take the form of sourceand/or installable code, which, upon compilation and/or installation onthe computer or hardware system 500 (e.g., using any of a variety ofgenerally available compilers, installation programs,compression/decompression utilities, etc.) then takes the form ofexecutable code.

It will be apparent to those skilled in the art that substantialvariations may be made in accordance with specific requirements. Forexample, customized hardware (such as programmable logic controllers,field-programmable gate arrays, application-specific integratedcircuits, and/or the like) might also be used, and/or particularelements might be implemented in hardware, software (including portablesoftware, such as applets, etc.), or both. Further, connection to othercomputing devices such as network input/output devices may be employed.

As mentioned above, in one aspect, some embodiments may employ acomputer or hardware system (such as the computer or hardware system500) to perform methods in accordance with various embodiments of theinvention. According to a set of embodiments, some or all of theprocedures of such methods are performed by the computer or hardwaresystem 500 in response to processor 510 executing one or more sequencesof one or more instructions (which might be incorporated into theoperating system 540 and/or other code, such as an application program545) contained in the working memory 535. Such instructions may be readinto the working memory 535 from another computer readable medium, suchas one or more of the storage device(s) 525. Merely by way of example,execution of the sequences of instructions contained in the workingmemory 535 might cause the processor(s) 510 to perform one or moreprocedures of the methods described herein.

The terms “machine readable medium” and “computer readable medium,” asused herein, refer to any medium that participates in providing datathat causes a machine to operate in a specific fashion. In an embodimentimplemented using the computer or hardware system 500, various computerreadable media might be involved in providing instructions/code toprocessor(s) 510 for execution and/or might be used to store and/orcarry such instructions/code (e.g., as signals). In manyimplementations, a computer readable medium is a non-transitory,physical, and/or tangible storage medium. In some embodiments, acomputer readable medium may take many forms, including, but not limitedto, non-volatile media, volatile media, or the like. Non-volatile mediaincludes, for example, optical and/or magnetic disks, such as thestorage device(s) 525. Volatile media includes, without limitation,dynamic memory, such as the working memory 535. In some alternativeembodiments, a computer readable medium may take the form oftransmission media, which includes, without limitation, coaxial cables,copper wire, and fiber optics, including the wires that comprise the bus505, as well as the various components of the communication subsystem530 (and/or the media by which the communications subsystem 530 providescommunication with other devices). In an alternative set of embodiments,transmission media can also take the form of waves (including withoutlimitation radio, acoustic, and/or light waves, such as those generatedduring radio-wave and infra-red data communications).

Common forms of physical and/or tangible computer readable mediainclude, for example, a floppy disk, a flexible disk, a hard disk,magnetic tape, or any other magnetic medium, a CD-ROM, any other opticalmedium, punch cards, paper tape, any other physical medium with patternsof holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, any other memory chipor cartridge, a carrier wave as described hereinafter, or any othermedium from which a computer can read instructions and/or code.

Various forms of computer readable media may be involved in carrying oneor more sequences of one or more instructions to the processor(s) 510for execution. Merely by way of example, the instructions may initiallybe carried on a magnetic disk and/or optical disc of a remote computer.A remote computer might load the instructions into its dynamic memoryand send the instructions as signals over a transmission medium to bereceived and/or executed by the computer or hardware system 500. Thesesignals, which might be in the form of electromagnetic signals, acousticsignals, optical signals, and/or the like, are all examples of carrierwaves on which instructions can be encoded, in accordance with variousembodiments of the invention.

The communications subsystem 530 (and/or components thereof) generallywill receive the signals, and the bus 505 then might carry the signals(and/or the data, instructions, etc. carried by the signals) to theworking memory 535, from which the processor(s) 505 retrieves andexecutes the instructions. The instructions received by the workingmemory 535 may optionally be stored on a storage device 525 eitherbefore or after execution by the processor(s) 510.

As noted above, a set of embodiments comprises methods and systems forimplementing monitoring and detection of fraudulent or unauthorized use,and, more particularly, to methods, systems, and apparatuses forimplementing monitoring and detection of fraudulent or unauthorized usein telephone conferencing systems or voice networks. FIG. 6 illustratesa schematic diagram of a system 600 that can be used in accordance withone set of embodiments. The system 600 can include one or more usercomputers, user devices, or customer devices 605. A user computer, userdevice, or customer device 605 can be a general purpose personalcomputer (including, merely by way of example, desktop computers, tabletcomputers, laptop computers, handheld computers, and the like, runningany appropriate operating system, several of which are available fromvendors such as Apple, Microsoft Corp., and the like), cloud computingdevices, a server(s), and/or a workstation computer(s) running any of avariety of commercially-available UNIX™ or UNIX-like operating systems.A user computer, user device, or customer device 605 can also have anyof a variety of applications, including one or more applicationsconfigured to perform methods provided by various embodiments (asdescribed above, for example), as well as one or more officeapplications, database client and/or server applications, and/or webbrowser applications. Alternatively, a user computer, user device, orcustomer device 605 can be any other electronic device, such as athin-client computer, Internet-enabled mobile telephone, and/or personaldigital assistant, capable of communicating via a network (e.g., thenetwork(s) 610 described below) and/or of displaying and navigating webpages or other types of electronic documents. Although the exemplarysystem 600 is shown with two user computers, user devices, or customerdevices 605, any number of user computers, user devices, or customerdevices can be supported.

Certain embodiments operate in a networked environment, which caninclude a network(s) 610. The network(s) 610 can be any type of networkfamiliar to those skilled in the art that can support datacommunications using any of a variety of commercially-available (and/orfree or proprietary) protocols, including, without limitation, TCP/IP,SNA™, IPX™, AppleTalk™, and the like. Merely by way of example, thenetwork(s) 610 (similar to networks 130 a-130 n, 230, and 330 of FIGS.1-3 , or the like) can each include a local area network (“LAN”),including, without limitation, a fiber network, an Ethernet network, aToken-Ring™ network, and/or the like; a wide-area network (“WAN”); awireless wide area network (“WWAN”); a virtual network, such as avirtual private network (“VPN”); the Internet; an intranet; an extranet;a public switched telephone network (“PSTN”); an infra-red network; awireless network, including, without limitation, a network operatingunder any of the IEEE 802.11 suite of protocols, the Bluetooth™ protocolknown in the art, and/or any other wireless protocol; and/or anycombination of these and/or other networks. In a particular embodiment,the network might include an access network of the service provider(e.g., an Internet service provider (“ISP”)). In another embodiment, thenetwork might include a core network of the service provider, and/or theInternet.

Embodiments can also include one or more server computers 615. Each ofthe server computers 615 may be configured with an operating system,including, without limitation, any of those discussed above, as well asany commercially (or freely) available server operating systems. Each ofthe servers 615 may also be running one or more applications, which canbe configured to provide services to one or more clients 605 and/orother servers 615.

Merely by way of example, one of the servers 615 might be a data server,a web server, a cloud computing device(s), or the like, as describedabove. The data server might include (or be in communication with) a webserver, which can be used, merely by way of example, to process requestsfor web pages or other electronic documents from user computers 605. Theweb server can also run a variety of server applications, including HTTPservers, FTP servers, CGI servers, database servers, Java servers, andthe like. In some embodiments of the invention, the web server may beconfigured to serve web pages that can be operated within a web browseron one or more of the user computers 605 to perform methods of theinvention.

The server computers 615, in some embodiments, might include one or moreapplication servers, which can be configured with one or moreapplications accessible by a client running on one or more of the clientcomputers 605 and/or other servers 615. Merely by way of example, theserver(s) 615 can be one or more general purpose computers capable ofexecuting programs or scripts in response to the user computers 605and/or other servers 615, including, without limitation, webapplications (which might, in some cases, be configured to performmethods provided by various embodiments). Merely by way of example, aweb application can be implemented as one or more scripts or programswritten in any suitable programming language, such as Java™, C, C#™ orC++, and/or any scripting language, such as Perl, Python, or TCL, aswell as combinations of any programming and/or scripting languages. Theapplication server(s) can also include database servers, including,without limitation, those commercially available from Oracle™,Microsoft™, Sybase™, IBM™, and the like, which can process requests fromclients (including, depending on the configuration, dedicated databaseclients, API clients, web browsers, etc.) running on a user computer,user device, or customer device 605 and/or another server 615. In someembodiments, an application server can perform one or more of theprocesses for implementing monitoring and detection of fraudulent orunauthorized use, and, more particularly, to methods, systems, andapparatuses for implementing monitoring and detection of fraudulent orunauthorized use in telephone conferencing systems or voice networks, asdescribed in detail above. Data provided by an application server may beformatted as one or more web pages (comprising HTML, JavaScript, etc.,for example) and/or may be forwarded to a user computer 605 via a webserver (as described above, for example). Similarly, a web server mightreceive web page requests and/or input data from a user computer 605and/or forward the web page requests and/or input data to an applicationserver. In some cases, a web server may be integrated with anapplication server.

In accordance with further embodiments, one or more servers 615 canfunction as a file server and/or can include one or more of the files(e.g., application code, data files, etc.) necessary to implementvarious disclosed methods, incorporated by an application running on auser computer 605 and/or another server 615. Alternatively, as thoseskilled in the art will appreciate, a file server can include allnecessary files, allowing such an application to be invoked remotely bya user computer, user device, or customer device 605 and/or server 615.

It should be noted that the functions described with respect to variousservers herein (e.g., application server, database server, web server,file server, etc.) can be performed by a single server and/or aplurality of specialized servers, depending on implementation-specificneeds and parameters.

In certain embodiments, the system can include one or more databases 620a-620 n (collectively, “databases 620”). The location of each of thedatabases 620 is discretionary: merely by way of example, a database 620a might reside on a storage medium local to (and/or resident in) aserver 615 a (and/or a user computer, user device, or customer device605). Alternatively, a database 620 n can be remote from any or all ofthe computers 605, 615, so long as it can be in communication (e.g., viathe network 610) with one or more of these. In a particular set ofembodiments, a database 620 can reside in a storage-area network (“SAN”)familiar to those skilled in the art. (Likewise, any necessary files forperforming the functions attributed to the computers 605, 615 can bestored locally on the respective computer and/or remotely, asappropriate.) In one set of embodiments, the database 620 can be arelational database, such as an Oracle database, that is adapted tostore, update, and retrieve data in response to SQL-formatted commands.The database might be controlled and/or maintained by a database server,as described above, for example.

According to some embodiments, system 600 might further comprise acalling device(s) 625 (similar to calling devices 105, 205, and 305 ofFIGS. 1-3 , or the like) associated with each of one or morecorresponding originating parties 630 (similar to originating parties110, call-in parties 210, or call-in/call-out parties 210 or 310 ofFIGS. 1-3 , or the like) and a called device(s) 635 (similar to calleddevices 115, 215, and 315 of FIGS. 1-3 , or the like) associated witheach of one or more corresponding destination parties 640 (similar todestination parties 120, 220, and 320 of FIGS. 1-3 , or the like).System 600 might further comprise telephone conference system or voicenetwork 645 (similar to telephone conference system or voice networks125, 225, and 325 of FIGS. 1-3 , or the like), computing system 650 aand corresponding database(s) 655 a (similar to computing systems 135 a,235, and 335 and corresponding database(s) 140 a, 240, and 340 of FIGS.1-3 , or the like), computing system 650 and corresponding database(s)655 b (similar to computing system 135 b and corresponding database(s)140 b of FIG. 1 , or the like). Computing system 650 a and correspondingdatabase(s) 655 a might be disposed external to telephone conferencesystem or voice network 645, while computing system 650 b andcorresponding database(s) 655 b might be disposed within telephoneconference system or voice network 645. System 600 might furthercomprise one or more conference bridges 660 a-660 n (similar toconference bridges 145 a-145 n, 245, and 345 of FIGS. 1-3 , or thelike), one or more logging systems 665 a (optional; similar to loggingsystems 150 a and 350 of FIGS. 1 and 3 , or the like), and one or moreartificial intelligence (“AI”) systems 670 (optional; similar to AIsystems 155 and 355 of FIGS. 1 and 3 , or the like), each of which maybe disposed within telephone conference system or voice network 645.System 600 might further comprise one or more logging systems 665 b(optional; similar to logging systems 150 b and 350 of FIGS. 1 and 3 ,or the like) that may be disposed external to telephone conferencesystem or voice network 645.

In operation, computing system 650 a, computing system 650 b, or amonitoring system (such as monitoring system 380 of FIG. 3 , or thelike) (collectively, “computing system” or the like) might monitor callactivity through telephone conferencing system or voice network 645. Inresponse to detecting use of the telephone conferencing system or voicenetwork 645 by at least one party (e.g., at least one of one or moreoriginating parties 630 and/or one or more destination parties 640, orthe like) based on the monitored call activity, the computing systemmight identify at least one of incoming call data or outgoing call dataassociated with a call initiated by the at least one party. Thecomputing system might analyze the identified at least one of incomingcall data or outgoing call data to determine whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice network645. Based on a determination that the call initiated by the at leastone party constitutes at least one of fraudulent use or unauthorized useof the telephone conferencing system or voice network, the computingsystem might initiate one or more first actions.

In some embodiments, the incoming call data might include, withoutlimitation, at least one of conference identification informationassociated with a conference bridge, timestamp of call origination byeach call-in party to the conference bridge, origination telephonenumber associated with each call-in party, geographic locationinformation associated with each call-in party, or line identifier(e.g., network line, conference line, media resource line, or the like)corresponding to connection between each call-in party and theconference bridge, and/or the like. In some cases, the outgoing calldata might include, but is not limited to, at least one of conferenceidentification information associated with a conference bridge,timestamp of call origination by each call-out party from the conferencebridge, destination telephone number associated with each destinationparty called by each call-out party, geographic location informationassociated with each call-out party, line identifier (e.g., networkline, conference line, media resource line, or the like) correspondingto connection between each destination party and the conference bridge,or telephone number associated with each call-out party, and/or thelike. In some instances, the call might be initiated by web control bythe at least one parties, and the identified at least one of incomingcall data or outgoing call data might include, without limitation, atleast one of conference identification information associated with aconference bridge, timestamp of call origination by each call-in partyto the conference bridge, timestamp of call origination by each call-outparty from the conference bridge, geographic location informationassociated with each call-in party, geographic location informationassociated with each call-out party, Internet protocol (“IP”) addressassociated with each call-in party, IP address associated with eachcall-out party, or WebSocket connection information, and/or the like.

According to some embodiments, identifying the at least one of theincoming call data or the outgoing call data associated with a callinitiated by the at least one party might comprise obtaining the atleast one of the incoming call data or the outgoing call data by atleast one of scraping an application log file associated with thetelephone conferencing system or voice network (not shown), using anapplication programming interface (“API”) between the computing systemand the telephone conferencing system or voice network 645 (not shown),or using a tracking service (not shown), and/or the like.

Merely by way of example, in some instances, determining whether thecall initiated by the at least one party constitutes at least one offraudulent use or unauthorized use of the telephone conferencing systemor voice network might comprise comparing the identified at least one ofincoming call data or outgoing call data with metadata, wherein themetadata might include, without limitation, at least one of accountidentifier associated with a user account with the telephoneconferencing system or voice network, a telephone number associated withan account owner associated with the user account, geographicinformation associated with the account owner, or contact informationassociated with the account owner, and/or the like.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise determining that the at least one party is anunauthorized user who is using a user account with the telephoneconferencing system or voice network for personal use or to sell tounsuspecting end-users, by at least one of determining that a personalidentification number (“PIN”) or leader code associated with the useraccount has been incorrectly entered more than a predetermined number oftimes (e.g., 5 times or 6 times, or the like; which is likely indicativeof “PIN scanning” by an offending party trying to guess at the PIN orleader code after having already identified a valid account, or thelike), determining that an origination telephone number associated withthe at least one party does not match a telephone number associated withan account owner associated with the user account, determining that theat least one party is calling from a location that is different fromgeographic location associated with the account owner, determining thatthe at least one party is calling from a location that has a knownpropensity for initiating fraudulent calls, or determining that at leastone of one or more destination parties is located in a foreign country,and/or the like. Any or all of these determinations may result in thecall being flagged for further investigation by the computing system orby a person(s) alerted by the computing system.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise one of determining that the at least one party is usingthe telephone conferencing system or voice network as a bulk callgenerator, determining that the at least one party is using thetelephone conferencing system or voice network as an originator ofrobocalls, or determining that the at least one party is using thetelephone conferencing system or voice network as part of a denial ofservice (“DoS”) attack, and/or the like, by at least one of determiningthat a number of out-dials from a single user account with the telephoneconferencing system or voice network exceeds a predetermined thresholdnumber of calls within a predetermined period, determining that the atleast one party is calling from a location that has a known propensityfor initiating fraudulent calls, determining that the at least one partyis located in a foreign country, or determining that at least one of oneor more destination parties is located in a foreign country, and/or thelike. Any or all of these determinations may result in the call beingflagged for further investigation by the computing system or by aperson(s) alerted by the computing system. For example, if the number oftimes of dial-out or call-out exceeds a threshold amount (e.g., 20 timesin one day, for instance, although not limited to such an amount), thesystem might flag the activity for further investigation by thecomputing system or by the person(s) alerted by the computing system. Amore sensitive threshold amount may be set for activity that is focusedon a single destination number or single destination party, or the like.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise determining that the at least one party is attempting tohide its identity or to hide direct communications by the at least oneparty, by at least one of determining that an origination telephonenumber associated with the at least one party does not match a telephonenumber associated with an account owner associated with the user accountor determining that the at least one party is calling from a locationthat is different from geographic location associated with the accountowner, or the like.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise determining that the at least one party is attempting tobypass long distance charges, by at least one of determining that anorigination telephone number associated with the at least one party doesnot match a telephone number associated with an account owner associatedwith the user account, determining that the at least one party iscalling from a location that is different from geographic locationassociated with the account owner, or determining that the call would besubject to long distance charges if initiated without using thetelephone conferencing system, and/or the like.

Alternatively, or additionally, determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkmight comprise utilizing at least one of an artificial intelligence(“AI”) system or a machine learning system, and/or the like, todetermine whether the call initiated by the at least one partyconstitutes at least one of fraudulent use or unauthorized use of thetelephone conferencing system or voice network.

In some embodiments, the one or more first actions might include, but isnot limited to, at least one of temporarily blocking a network trunk;escalating disablement of a network trunk; permanently blocking anetwork trunk; temporarily blocking an account with the telephoneconferencing system; escalating disablement of an account with thetelephone conferencing system; permanently blocking an account with thetelephone conferencing system; blocking one or more features of anaccount with the telephone conferencing system; changing routing of thecall to route through specialized equipment for monitoring or recordingthe call; changing routing of the call to route to a call center;changing routing of the call to route to a law enforcement facility;changing routing of the call to route to a message service; changingrouting of the call to route to an interactive voice response (“IVR”)system; changing routing of the call to terminate the call; sending analert regarding the call to at least one of an account owner, an accountmanager, a call center representative, or a law enforcementrepresentative (e.g., to user device 605 a or 605 b associated with theat least one of the account owner, the account manager, the call centerrepresentative, or the law enforcement representative, or the like);sending an e-mail message regarding the call to at least one of anaccount owner, an account manager, a call center representative, or alaw enforcement representative (e.g., to user device 605 a or 605 bassociated with the at least one of the account owner, the accountmanager, the call center representative, or the law enforcementrepresentative, or the like); sending a short message service (“SMS”)message regarding the call to at least one of an account owner, anaccount manager, a call center representative, or a law enforcementrepresentative (e.g., to user device 605 a or 605 b associated with theat least one of the account owner, the account manager, the call centerrepresentative, or the law enforcement representative, or the like);sending a text message regarding the call to at least one of an accountowner, an account manager, a call center representative, or a lawenforcement representative (e.g., to user device 605 a or 605 bassociated with the at least one of the account owner, the accountmanager, the call center representative, or the law enforcementrepresentative, or the like); initiating a telephone call regarding thecall to at least one of an account owner, an account manager, a callcenter representative, or a law enforcement representative (e.g., touser device 605 a or 605 b associated with the at least one of theaccount owner, the account manager, the call center representative, orthe law enforcement representative, or the like); or logging informationregarding the call to a log file or a database system; and/or the like.

In some cases, at least one of the alert, the e-mail message, the SMSmessage, the text message, or the telephone call, and/or the like, mightcomprise at least one of an option to block access to the account by theat least one party, an option to change account credentials associatedwith the account, an option to contact the account owner, or an optionto disconnect the call, based at least in part on a determination thatthe call is deemed by the at least one of the account owner, the accountmanager, the call center representative, or the law enforcementrepresentative to be at least one of fraudulent use or unauthorized useof the telephone conferencing system or voice network, and/or the like.

These and other functions of the system 600 (and its components) aredescribed in greater detail above with respect to FIGS. 1-4 .

While certain features and aspects have been described with respect toexemplary embodiments, one skilled in the art will recognize thatnumerous modifications are possible. For example, the methods andprocesses described herein may be implemented using hardware components,software components, and/or any combination thereof. Further, whilevarious methods and processes described herein may be described withrespect to particular structural and/or functional components for easeof description, methods provided by various embodiments are not limitedto any particular structural and/or functional architecture but insteadcan be implemented on any suitable hardware, firmware and/or softwareconfiguration. Similarly, while certain functionality is ascribed tocertain system components, unless the context dictates otherwise, thisfunctionality can be distributed among various other system componentsin accordance with the several embodiments.

Moreover, while the procedures of the methods and processes describedherein are described in a particular order for ease of description,unless the context dictates otherwise, various procedures may bereordered, added, and/or omitted in accordance with various embodiments.Moreover, the procedures described with respect to one method or processmay be incorporated within other described methods or processes;likewise, system components described according to a particularstructural architecture and/or with respect to one system may beorganized in alternative structural architectures and/or incorporatedwithin other described systems. Hence, while various embodiments aredescribed with—or without—certain features for ease of description andto illustrate exemplary aspects of those embodiments, the variouscomponents and/or features described herein with respect to a particularembodiment can be substituted, added and/or subtracted from among otherdescribed embodiments, unless the context dictates otherwise.Consequently, although several exemplary embodiments are describedabove, it will be appreciated that the invention is intended to coverall modifications and equivalents within the scope of the followingclaims.

What is claimed is:
 1. A method, comprising: monitoring, with acomputing system, call activity through a telephone conferencing systemor voice network; in response to detecting use of the telephoneconferencing system or voice network by at least one party based on themonitored call activity, identifying, with the computing system, atleast one of incoming call data or outgoing call data associated with acall initiated by the at least one party; analyzing, with the computingsystem, the identified at least one of incoming call data or outgoingcall data to determine whether the call initiated by the at least oneparty constitutes at least one of fraudulent use or unauthorized use ofthe telephone conferencing system or voice network; and based on adetermination that the call initiated by the at least one partyconstitutes at least one of fraudulent use or unauthorized use of thetelephone conferencing system or voice network, initiating, with thecomputing system, one or more first actions, wherein the at least one ofincoming call data or outgoing call data comprises at least conferenceidentification information associated with a conference bridge.
 2. Themethod of claim 1, wherein the incoming call data further comprises atleast one of timestamp of call origination by each call-in party to theconference bridge, origination telephone number associated with eachcall-in party, geographic location information associated with eachcall-in party, or line identifier corresponding to connection betweeneach call-in party and the conference bridge.
 3. The method of claim 1,wherein the outgoing call data further comprises at least one oftimestamp of call origination by each call-out party from the conferencebridge, destination telephone number associated with each destinationparty called by each call-out party, geographic location informationassociated with each call-out party, line identifier corresponding toconnection between each destination party and the conference bridge, ortelephone number associated with each call-out party.
 4. The method ofclaim 1, wherein the call is initiated by web control, wherein theidentified at least one of incoming call data or outgoing call datafurther comprises at least one of timestamp of call origination by eachcall-in party to the conference bridge, timestamp of call origination byeach call-out party from the conference bridge, geographic locationinformation associated with each call-in party, geographic locationinformation associated with each call-out party, Internet protocol(“IP”) address associated with each call-in party, IP address associatedwith each call-out party, or WebSocket connection information.
 5. Themethod of claim 1, wherein identifying the at least one of the incomingcall data or the outgoing call data associated with a call initiated bythe at least one party comprises obtaining the at least one of theincoming call data or the outgoing call data by at least one of scrapingan application log file associated with the telephone conferencingsystem or voice network, using an application programming interface(“API”) between the computing system and the telephone conferencingsystem or voice network, or using a tracking service.
 6. The method ofclaim 1, wherein determining whether the call initiated by the at leastone party constitutes at least one of fraudulent use or unauthorized useof the telephone conferencing system or voice network comprisescomparing, with the computing system, the identified at least one ofincoming call data or outgoing call data with metadata, wherein themetadata comprises at least one of account identifier associated with auser account with the telephone conferencing system or voice network, atelephone number associated with an account owner associated with theuser account, geographic information associated with the account owner,or contact information associated with the account owner.
 7. The methodof claim 1, wherein determining whether the call initiated by the atleast one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkcomprises determining that the at least one party is an unauthorizeduser who is using a user account with the telephone conferencing systemor voice network for personal use or to sell to unsuspecting end-users,by at least one of determining that a personal identification number(“PIN”) or leader code associated with the user account has beenincorrectly entered more than a predetermined number of times,determining that an origination telephone number associated with the atleast one party does not match a telephone number associated with anaccount owner associated with the user account, determining that the atleast one party is calling from a location that is different fromgeographic location associated with the account owner, determining thatthe at least one party is calling from a location that has a knownpropensity for initiating fraudulent calls, or determining that at leastone of one or more destination parties is located in a foreign country.8. The method of claim 1, wherein determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkcomprises one of determining that the at least one party is using thetelephone conferencing system or voice network as a bulk call generator,determining that the at least one party is using the telephoneconferencing system or voice network as an originator of robocalls, ordetermining that the at least one party is using the telephoneconferencing system or voice network as part of a denial of service(“DoS”) attack, by at least one of determining that a number ofout-dials from a single user account with the telephone conferencingsystem or voice network exceeds a predetermined threshold number ofcalls within a predetermined period, determining that the at least oneparty is calling from a location that has a known propensity forinitiating fraudulent calls, determining that the at least one party islocated in a foreign country, or determining that at least one of one ormore destination parties is located in a foreign country.
 9. The methodof claim 1, wherein determining whether the call initiated by the atleast one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkcomprises determining that the at least one party is attempting to hideits identity or to hide direct communications by the at least one party,by at least one of determining that an origination telephone numberassociated with the at least one party does not match a telephone numberassociated with an account owner associated with the user account ordetermining that the at least one party is calling from a location thatis different from geographic location associated with the account owner.10. The method of claim 1, wherein determining whether the callinitiated by the at least one party constitutes at least one offraudulent use or unauthorized use of the telephone conferencing systemor voice network comprises determining that the at least one party isattempting to bypass long distance charges, by at least one ofdetermining that an origination telephone number associated with the atleast one party does not match a telephone number associated with anaccount owner associated with the user account, determining that the atleast one party is calling from a location that is different fromgeographic location associated with the account owner, or determiningthat the call would be subject to long distance charges if initiatedwithout using the telephone conferencing system.
 11. The method of claim1, wherein determining whether the call initiated by the at least oneparty constitutes at least one of fraudulent use or unauthorized use ofthe telephone conferencing system or voice network comprises utilizingat least one of an artificial intelligence (“AI”) system or a machinelearning system to determine whether the call initiated by the at leastone party constitutes at least one of fraudulent use or unauthorized useof the telephone conferencing system or voice network.
 12. The method ofclaim 1, wherein the one or more first actions comprise at least one oftemporarily blocking a network trunk; escalating disablement of anetwork trunk; permanently blocking a network trunk; temporarilyblocking an account with the telephone conferencing system; escalatingdisablement of an account with the telephone conferencing system;permanently blocking an account with the telephone conferencing system;blocking one or more features of an account with the telephoneconferencing system; changing routing of the call to route throughspecialized equipment for monitoring or recording the call; changingrouting of the call to route to a call center; changing routing of thecall to route to a law enforcement facility; changing routing of thecall to route to a message service; changing routing of the call toroute to an interactive voice response (“IVR”) system; changing routingof the call to terminate the call; sending an alert regarding the callto at least one of an account owner, an account manager, a call centerrepresentative, or a law enforcement representative; sending an e-mailmessage regarding the call to at least one of an account owner, anaccount manager, a call center representative, or a law enforcementrepresentative; sending a short message service (“SMS”) messageregarding the call to at least one of an account owner, an accountmanager, a call center representative, or a law enforcementrepresentative; sending a text message regarding the call to at leastone of an account owner, an account manager, a call centerrepresentative, or a law enforcement representative; initiating atelephone call regarding the call to at least one of an account owner,an account manager, a call center representative, or a law enforcementrepresentative; or logging information regarding the call to a log fileor a database system.
 13. The method of claim 12, wherein at least oneof the alert, the e-mail message, the SMS message, the text message, orthe telephone call comprises at least one of an option to block accessto the account by the at least one party, an option to change accountcredentials associated with the account, an option to contact theaccount owner, or an option to disconnect the call, based at least inpart on a determination that the call is deemed by the at least one ofthe account owner, the account manager, the call center representative,or the law enforcement representative to be at least one of fraudulentuse or unauthorized use of the telephone conferencing system or voicenetwork.
 14. The method of claim 1, further comprising: logging, withthe computing system, information regarding the call to a log file or adatabase system; analyzing, with the computing system, the loggedinformation to generate historical data associated with one or more ofthe at least one party, an account with the telephone conferencingsystem or voice network that is used by the at least one party toinitiate the call, a conference bridge used by the at least one party toinitiate the call, at least one destination party connected by the call,or at least one location associated with each party; determining, withthe computing system, one or more weighted measures associated with eachgenerated historical data; and generating, with the computing system, ascore based on the historical data and the one or more weightedmeasures, the score being representative of a probability of fraudulentuse or unauthorized use; wherein determining whether the call initiatedby the at least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkcomprises determining whether the call initiated by the at least oneparty constitutes at least one of fraudulent use or unauthorized use ofthe telephone conferencing system or voice network based at least inpart on the generated score.
 15. The method of claim 1, furthercomprising: providing a trunking bridge between the at least one partyand the telephone conferencing system or voice network, wherein thetrunking bridge comprises one of a public switched telephone network(“PSTN”) trunking bridge, an integrated services digital network (“ISDN)trunking bridge, a voice over Internet protocol (“VoIP”) trunkingbridge, or a session initiation protocol (“SIP”) trunking bridge;wherein the trunking bridge facilitates monitoring call activity andinitiation of the one or more first actions.
 16. An apparatus,comprising: at least one processor; and a non-transitory computerreadable medium communicatively coupled to the at least one processor,the non-transitory computer readable medium having stored thereoncomputer software comprising a set of instructions that, when executedby the at least one processor, causes the apparatus to: monitor callactivity through a telephone conferencing system or voice network; inresponse to detecting use of the telephone conferencing system or voicenetwork by at least one party based on the monitored call activity,identify at least one of incoming call data or outgoing call dataassociated with a call initiated by the at least one party; analyze theidentified at least one of incoming call data or outgoing call data todetermine whether the call initiated by the at least one partyconstitutes at least one of fraudulent use or unauthorized use of thetelephone conferencing system or voice network; and based on adetermination that the call initiated by the at least one partyconstitutes at least one of fraudulent use or unauthorized use of thetelephone conferencing system or voice network, initiate one or morefirst actions, wherein the at least one of incoming call data oroutgoing call data comprises at least conference identificationinformation associated with a conference bridge.
 17. The apparatus ofclaim 16, wherein the one or more first actions comprise at least one oftemporarily blocking a network trunk; escalating disablement of anetwork trunk; permanently blocking a network trunk; temporarilyblocking an account with the telephone conferencing system; escalatingdisablement of an account with the telephone conferencing system;permanently blocking an account with the telephone conferencing system;blocking one or more features of an account with the telephoneconferencing system; changing routing of the call to route throughspecialized equipment for monitoring or recording the call; changingrouting of the call to route to a call center; changing routing of thecall to route to a law enforcement facility; changing routing of thecall to route to a message service; changing routing of the call toroute to an interactive voice response (“IVR”) system; changing routingof the call to terminate the call; sending an alert regarding the callto at least one of an account owner, an account manager, a call centerrepresentative, or a law enforcement representative; sending an e-mailmessage regarding the call to at least one of an account owner, anaccount manager, a call center representative, or a law enforcementrepresentative; sending a short message service (“SMS”) messageregarding the call to at least one of an account owner, an accountmanager, a call center representative, or a law enforcementrepresentative; sending a text message regarding the call to at leastone of an account owner, an account manager, a call centerrepresentative, or a law enforcement representative; initiating atelephone call regarding the call to at least one of an account owner,an account manager, a call center representative, or a law enforcementrepresentative; or logging information regarding the call to a log fileor a database system.
 18. The apparatus of claim 16, wherein the set ofinstructions, when executed by the at least one processor, furthercauses the apparatus to: log information regarding the call to a logfile or a database system; analyze the logged information to generatehistorical data associated with one or more of the at least one party,an account with the telephone conferencing system or voice network thatis used by the at least one party to initiate the call, a conferencebridge used by the at least one party to initiate the call, at least onedestination party connected by the call, or at least one locationassociated with each party; determine one or more weighted measuresassociated with each generated historical data; and generate a scorebased on the historical data and the one or more weighted measures, thescore being representative of a probability of fraudulent use orunauthorized use; wherein determining whether the call initiated by theat least one party constitutes at least one of fraudulent use orunauthorized use of the telephone conferencing system or voice networkcomprises determining whether the call initiated by the at least oneparty constitutes at least one of fraudulent use or unauthorized use ofthe telephone conferencing system or voice network based at least inpart on the generated score.
 19. The apparatus of claim 16, wherein theset of instructions, when executed by the at least one processor,further causes the apparatus to: provide a trunking bridge between theat least one party and the telephone conferencing system or voicenetwork, wherein the trunking bridge comprises one of a public switchedtelephone network (“PSTN”) trunking bridge, an integrated servicesdigital network (“ISDN) trunking bridge, a voice over Internet protocol(“VoIP”) trunking bridge, or a session initiation protocol (“SIP”)trunking bridge; wherein the trunking bridge facilitates monitoring callactivity and initiation of the one or more first actions.
 20. A system,comprising: a computing system, comprising: at least one firstprocessor; and a first non-transitory computer readable mediumcommunicatively coupled to the at least one first processor, the firstnon-transitory computer readable medium having stored thereon computersoftware comprising a first set of instructions that, when executed bythe at least one first processor, causes the computing system to:monitor call activity through a telephone conferencing system or voicenetwork; in response to detecting use of the telephone conferencingsystem or voice network by at least one party based on the monitoredcall activity, identify at least one of incoming call data or outgoingcall data associated with a call initiated by the at least one party;analyze the identified at least one of incoming call data or outgoingcall data to determine whether the call initiated by the at least oneparty constitutes at least one of fraudulent use or unauthorized use ofthe telephone conferencing system or voice network; and based on adetermination that the call initiated by the at least one partyconstitutes at least one of fraudulent use or unauthorized use of thetelephone conferencing system or voice network, initiate one or morefirst actions, wherein the at least one of incoming call data oroutgoing call data comprises at least conference identificationinformation associated with a conference bridge.